Add daemon socket owner enforcement via SO_PEERCRED

.github/dependabot.yml

@@ -1,45 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    open-pull-requests-limit: 15
-    groups:
-      actions:
-        patterns:
-          - "*"
-    ignore:
-      # git-town/action v1.3.x crashes on cyclic PR graphs (self-loop main->main
-      # fork PRs) via its topological-sort visualization. Pinned to v1.2.1 in
-      # git-town.yml; block v1.3.x until upstream tolerates cyclic edges.
-      - dependency-name: "git-town/action"
-        update-types:
-          - "version-update:semver-minor"
-          - "version-update:semver-major"
-
-  - package-ecosystem: "gomod"
-    directories:
-      - "/"
-    schedule:
-      interval: "daily"
-    open-pull-requests-limit: 15
-    groups:
-      aws-sdk:
-        patterns:
-          - "github.com/aws/aws-sdk-go-v2/*"
-      pion:
-        patterns:
-          - "github.com/pion/*"
-      gorm:
-        patterns:
-          - "gorm.io/*"
-      otel:
-        patterns:
-          - "go.opentelemetry.io/*"
-      testcontainers:
-        patterns:
-          - "github.com/testcontainers/testcontainers-go/*"
-      wireguard:
-        patterns:
-          - "golang.zx2c4.com/wireguard*"

.github/workflows/check-license-dependencies.yml

@@ -2,16 +2,16 @@ name: Check License Dependencies
 
 on:
   push:
-    branches: [main]
+    branches: [ main ]
     paths:
-      - "go.mod"
-      - "go.sum"
-      - ".github/workflows/check-license-dependencies.yml"
+      - 'go.mod'
+      - 'go.sum'
+      - '.github/workflows/check-license-dependencies.yml'
   pull_request:
     paths:
-      - "go.mod"
-      - "go.sum"
-      - ".github/workflows/check-license-dependencies.yml"
+      - 'go.mod'
+      - 'go.sum'
+      - '.github/workflows/check-license-dependencies.yml'
 
 jobs:
   check-internal-dependencies:
@@ -19,10 +19,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@v4
 
       - name: Check for problematic license dependencies
         run: |
@@ -59,57 +56,55 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+    - uses: actions/checkout@v4
 
-      - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
-        with:
-          go-version-file: "go.mod"
-          cache: true
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: 'go.mod'
+        cache: true
 
-      - name: Install go-licenses
-        run: go install github.com/google/go-licenses@v1.6.0
+    - name: Install go-licenses
+      run: go install github.com/google/go-licenses@v1.6.0
 
-      - name: Check for GPL/AGPL licensed dependencies
-        run: |
-          echo "Checking for GPL/AGPL/LGPL licensed dependencies..."
+    - name: Check for GPL/AGPL licensed dependencies
+      run: |
+        echo "Checking for GPL/AGPL/LGPL licensed dependencies..."
+        echo ""
+
+        # Check all Go packages for copyleft licenses, excluding internal netbird packages
+        COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)
+
+        if [ -n "$COPYLEFT_DEPS" ]; then
+          echo "Found copyleft licensed dependencies:"
+          echo "$COPYLEFT_DEPS"
           echo ""
 
-          # Check all Go packages for copyleft licenses, excluding internal netbird packages
-          COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)
+          # Filter out dependencies that are only pulled in by internal AGPL packages
+          INCOMPATIBLE=""
+          while IFS=',' read -r package url license; do
+            if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
+              # Find ALL packages that import this GPL package using go list
+              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
 
-          if [ -n "$COPYLEFT_DEPS" ]; then
-            echo "Found copyleft licensed dependencies:"
-            echo "$COPYLEFT_DEPS"
-            echo ""
+              # Check if any importer is NOT in management/signal/relay
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
 
-            # Filter out dependencies that are only pulled in by internal AGPL packages
-            INCOMPATIBLE=""
-            while IFS=',' read -r package url license; do
-              if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
-                # Find ALL packages that import this GPL package using go list
-                IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
-
-                # Check if any importer is NOT in management/signal/relay
-                BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
-
-                if [ -n "$BSD_IMPORTER" ]; then
-                  echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
-                  INCOMPATIBLE="${INCOMPATIBLE}${package},${url},${license}\n"
-                else
-                  echo "✓ $package ($license) is only used by internal AGPL packages - OK"
-                fi
+              if [ -n "$BSD_IMPORTER" ]; then
+                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
+                INCOMPATIBLE="${INCOMPATIBLE}${package},${url},${license}\n"
+              else
+                echo "✓ $package ($license) is only used by internal AGPL packages - OK"
               fi
-            done <<< "$COPYLEFT_DEPS"
-
-            if [ -n "$INCOMPATIBLE" ]; then
-              echo ""
-              echo "❌ INCOMPATIBLE licenses found that are used by BSD-licensed code:"
-              echo -e "$INCOMPATIBLE"
-              exit 1
             fi
-          fi
+          done <<< "$COPYLEFT_DEPS"
 
-          echo "✅ All external license dependencies are compatible with BSD-3-Clause"
+          if [ -n "$INCOMPATIBLE" ]; then
+            echo ""
+            echo "❌ INCOMPATIBLE licenses found that are used by BSD-licensed code:"
+            echo -e "$INCOMPATIBLE"
+            exit 1
+          fi
+        fi
+
+        echo "✅ All external license dependencies are compatible with BSD-3-Clause"

.github/workflows/docs-ack.yml

@@ -83,7 +83,7 @@ jobs:
 
       - name: Verify docs PR exists (and is open or merged)
         if: steps.validate.outputs.mode == 'added'
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v7
         id: verify
         with:
           pr_number: ${{ steps.extract.outputs.pr_number }}

.github/workflows/forum.yml

@@ -8,10 +8,11 @@ jobs:
   post:
     runs-on: ubuntu-latest
     steps:
-      - uses: roots/discourse-topic-github-release-action@557d74ea05b6cc0c47f555c1d5d28a89d904005b # v1.1.0
+      - uses: roots/discourse-topic-github-release-action@main
         with:
           discourse-api-key: ${{ secrets.DISCOURSE_RELEASES_API_KEY }}
           discourse-base-url: https://forum.netbird.io
           discourse-author-username: NetBird
           discourse-category: 17
-          discourse-tags: releases
+          discourse-tags:
+            releases

.github/workflows/git-town.yml

@@ -3,7 +3,7 @@ name: Git Town
 on:
   pull_request:
     branches:
-      - "**"
+      - '**'
 
 jobs:
   git-town:
@@ -15,9 +15,7 @@ jobs:
       pull-requests: write
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      - uses: git-town/action@3d8b878379abb1ee393fb49865a28b4a6c2cd3b0 # v1.2.1
+      - uses: actions/checkout@v4
+      - uses: git-town/action@v1.2.1
         with:
           skip-single-stacks: true

.github/workflows/golang-test-darwin.yml

@@ -16,18 +16,16 @@ jobs:
     runs-on: macos-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
 
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
           cache: false
 
       - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
         with:
           path: ~/go/pkg/mod
           key: macos-gotest-${{ hashFiles('**/go.sum') }}
@@ -46,3 +44,4 @@ jobs:
 
       - name: Test
         run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+

.github/workflows/golang-test-freebsd.yml

@@ -15,31 +15,20 @@ jobs:
     name: "Client / Unit"
     runs-on: ubuntu-22.04
     steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Read Go version from go.mod
-        id: goversion
-        run: echo "version=$(awk '/^go / {print $2}' go.mod)" >> "$GITHUB_OUTPUT"
-
+      - uses: actions/checkout@v4
       - name: Test in FreeBSD
         id: test
-        env:
-          GO_VERSION: ${{ steps.goversion.outputs.version }}
-        uses: vmactions/freebsd-vm@d1e65811565151536c0c894fff74f06351ed26e6 # v1.4.5
+        uses: vmactions/freebsd-vm@v1
         with:
           usesh: true
           copyback: false
-          release: "15.0"
-          envs: "GO_VERSION"
+          release: "14.2"
           prepare: |
             pkg install -y curl pkgconf xorg
-            GO_TARBALL="go${GO_VERSION}.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.25.3.freebsd-amd64.tar.gz"
             GO_URL="https://go.dev/dl/$GO_TARBALL"
             curl -vLO "$GO_URL"
-            tar -C /usr/local -vxzf "$GO_TARBALL"
+            tar -C /usr/local -vxzf "$GO_TARBALL"            
 
           # -x - to print all executed commands
           # -e - to faile on first error

.github/workflows/golang-test-linux.yml

@@ -18,11 +18,9 @@ jobs:
       management: ${{ steps.filter.outputs.management }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
 
-      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+      - uses: dorny/paths-filter@v3
         id: filter
         with:
           filters: |
@@ -30,7 +28,7 @@ jobs:
               - 'management/**'
 
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
           cache: false
@@ -38,10 +36,10 @@ jobs:
       - name: Get Go environment
         run: |
           echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
 
       - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
         id: cache
         with:
           path: |
@@ -115,16 +113,14 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        arch: ["386", "amd64"]
+        arch: [ '386','amd64' ]
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
 
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
           cache: false
@@ -132,10 +128,10 @@ jobs:
       - name: Get Go environment
         run: |
           echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
 
       - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
         with:
           path: |
             ${{ env.cache }}
@@ -162,16 +158,14 @@ jobs:
 
   test_client_on_docker:
     name: "Client (Docker) / Unit"
-    needs: [build-cache]
+    needs: [ build-cache ]
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
 
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
           cache: false
@@ -183,7 +177,7 @@ jobs:
           echo "modcache_dir=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
 
       - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
         id: cache-restore
         with:
           path: |
@@ -237,12 +231,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
 
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
           cache: false
@@ -254,10 +246,10 @@ jobs:
       - name: Get Go environment
         run: |
           echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
 
       - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
         with:
           path: |
             ${{ env.cache }}
@@ -285,16 +277,14 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        arch: ["386", "amd64"]
+        arch: [ '386','amd64' ]
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
 
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
           cache: false
@@ -308,7 +298,7 @@ jobs:
           echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
 
       - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
         with:
           path: |
             ${{ env.cache }}
@@ -334,16 +324,14 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        arch: ["386", "amd64"]
+        arch: [ '386','amd64' ]
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
 
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
           cache: false
@@ -355,10 +343,10 @@ jobs:
       - name: Get Go environment
         run: |
           echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
 
       - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
         with:
           path: |
             ${{ env.cache }}
@@ -382,21 +370,19 @@ jobs:
 
   test_management:
     name: "Management / Unit"
-    needs: [build-cache]
+    needs: [ build-cache ]
     strategy:
       fail-fast: false
       matrix:
-        arch: ["amd64"]
-        store: ["sqlite", "postgres", "mysql"]
+        arch: [ 'amd64' ]
+        store: [ 'sqlite', 'postgres', 'mysql' ]
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
 
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
           cache: false
@@ -404,10 +390,10 @@ jobs:
       - name: Get Go environment
         run: |
           echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
 
       - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
         with:
           path: |
             ${{ env.cache }}
@@ -424,7 +410,7 @@ jobs:
 
       - name: Login to Docker hub
         if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_TOKEN }}
@@ -441,7 +427,7 @@ jobs:
         run: docker pull mlsmaycon/warmed-mysql:8
 
       - name: Test
-        run: |
+        run: |          
           CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
           NETBIRD_STORE_ENGINE=${{ matrix.store }} \
             CI=true \
@@ -451,13 +437,13 @@ jobs:
 
   benchmark:
     name: "Management / Benchmark"
-    needs: [build-cache]
+    needs: [ build-cache ]
     if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
     strategy:
       fail-fast: false
       matrix:
-        arch: ["amd64"]
-        store: ["sqlite", "postgres"]
+        arch: [ 'amd64' ]
+        store: [ 'sqlite', 'postgres' ]
     runs-on: ubuntu-22.04
     steps:
       - name: Create Docker network
@@ -488,12 +474,10 @@ jobs:
             prom/prometheus
 
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
 
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
           cache: false
@@ -501,10 +485,10 @@ jobs:
       - name: Get Go environment
         run: |
           echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
 
       - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
         with:
           path: |
             ${{ env.cache }}
@@ -521,7 +505,7 @@ jobs:
 
       - name: Login to Docker hub
         if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_TOKEN }}
@@ -545,13 +529,13 @@ jobs:
 
   api_benchmark:
     name: "Management / Benchmark (API)"
-    needs: [build-cache]
+    needs: [ build-cache ]
     if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
     strategy:
       fail-fast: false
       matrix:
-        arch: ["amd64"]
-        store: ["sqlite", "postgres"]
+        arch: [ 'amd64' ]
+        store: [ 'sqlite', 'postgres' ]
     runs-on: ubuntu-22.04
     steps:
       - name: Create Docker network
@@ -582,12 +566,10 @@ jobs:
             prom/prometheus
 
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
 
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
           cache: false
@@ -595,10 +577,10 @@ jobs:
       - name: Get Go environment
         run: |
           echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
 
       - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
         with:
           path: |
             ${{ env.cache }}
@@ -615,7 +597,7 @@ jobs:
 
       - name: Login to Docker hub
         if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_TOKEN }}
@@ -641,22 +623,20 @@ jobs:
 
   api_integration_test:
     name: "Management / Integration"
-    needs: [build-cache]
+    needs: [ build-cache ]
     if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
     strategy:
       fail-fast: false
       matrix:
-        arch: ["amd64"]
-        store: ["sqlite", "postgres"]
+        arch: [ 'amd64' ]
+        store: [ 'sqlite', 'postgres']
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
 
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
           cache: false
@@ -664,10 +644,10 @@ jobs:
       - name: Get Go environment
         run: |
           echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
 
       - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
         with:
           path: |
             ${{ env.cache }}

.github/workflows/golang-test-windows.yml

@@ -18,12 +18,10 @@ jobs:
     runs-on: windows-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
 
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         id: go
         with:
           go-version-file: "go.mod"
@@ -35,7 +33,7 @@ jobs:
           echo "modcache=$(go env GOMODCACHE)" >> $env:GITHUB_ENV
 
       - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
         with:
           path: |
             ${{ env.cache }}
@@ -46,15 +44,16 @@ jobs:
             ${{ runner.os }}-go-
 
       - name: Download wintun
+        uses: carlosperate/download-file-action@v2
         id: download-wintun
-        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
         with:
-          url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
-          destination: ${{ env.downloadPath }}\wintun.zip
-          sha256: 07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51
+          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
+          file-name: wintun.zip
+          location: ${{ env.downloadPath }}
+          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
 
       - name: Decompressing wintun files
-        run: tar -xvf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
+        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
 
       - run: mv ${{ env.downloadPath }}/wintun/bin/amd64/wintun.dll 'C:\Windows\System32\'
 

.github/workflows/golangci-lint.yml

@@ -15,11 +15,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
       - name: codespell
-        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2.2
+        uses: codespell-project/actions-codespell@v2
         with:
           ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA,ede,additionals
           skip: go.mod,go.sum,**/proxy/web/**
@@ -40,15 +38,13 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
       - name: Check for duplicate constants
         if: matrix.os == 'ubuntu-latest'
         run: |
           ! awk '/const \(/,/)/{print $0}' management/server/activity/codes.go | grep -o '= [0-9]*' | sort | uniq -d | grep .
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
           cache: false
@@ -56,7 +52,7 @@ jobs:
         if: matrix.os == 'ubuntu-latest'
         run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee #v9.2.1
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           version: latest
           skip-cache: true

.github/workflows/install-script-test.yml

@@ -22,9 +22,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
 
       - name: run install script
         env:

.github/workflows/mobile-build-validation.yml

@@ -16,25 +16,23 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - name: Setup Android SDK
-        uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4.0.1
+        uses: android-actions/setup-android@v3
         with:
           cmdline-tools-version: 8512546
       - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
+        uses: actions/setup-java@v4
         with:
           java-version: "11"
           distribution: "adopt"
       - name: NDK Cache
         id: ndk-cache
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
         with:
           path: /usr/local/lib/android/sdk/ndk
           key: ndk-cache-23.1.7779620
@@ -54,11 +52,9 @@ jobs:
     runs-on: macos-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - name: install gomobile

.github/workflows/pr-title-check.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Validate PR title prefix
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v7
         with:
           script: |
             const title = context.payload.pull_request.title;

.github/workflows/proto-version-check.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check for proto tool version changes
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v7
         with:
           script: |
             const files = await github.paginate(github.rest.pulls.listFiles, {

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.1.5"
+  SIGN_PIPE_VER: "v0.1.4"
   GORELEASER_VER: "v2.14.3"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"
@@ -24,9 +24,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
 
       - name: Generate FreeBSD port diff
         run: bash release_files/freebsd-port-diff.sh
@@ -53,26 +51,19 @@ jobs:
           echo "Generated files for version: $VERSION"
           cat netbird-*.diff
 
-      - name: Read Go version from go.mod
-        id: goversion
-        run: echo "version=$(awk '/^go / {print $2}' go.mod)" >> "$GITHUB_OUTPUT"
-
       - name: Test FreeBSD port
         if: steps.check_diff.outputs.diff_exists == 'true'
-        env:
-          GO_VERSION: ${{ steps.goversion.outputs.version }}
-        uses: vmactions/freebsd-vm@d1e65811565151536c0c894fff74f06351ed26e6 # v1.4.5
+        uses: vmactions/freebsd-vm@v1
         with:
           usesh: true
           copyback: false
           release: "15.0"
-          envs: "GO_VERSION"
           prepare: |
             # Install required packages
-            pkg install -y git curl portlint
+            pkg install -y git curl portlint go
 
             # Install Go for building
-            GO_TARBALL="go${GO_VERSION}.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.25.5.freebsd-amd64.tar.gz"
             GO_URL="https://go.dev/dl/$GO_TARBALL"
             curl -LO "$GO_URL"
             tar -C /usr/local -xzf "$GO_TARBALL"
@@ -102,19 +93,19 @@ jobs:
 
             # Show patched Makefile
             version=$(cat security/netbird/Makefile | grep -E '^DISTVERSION=' | awk '{print $NF}')
-
+            
             cd /usr/ports/security/netbird
             export BATCH=yes
             make package
             pkg add ./work/pkg/netbird-*.pkg
-
+            
             netbird version | grep "$version"
 
             echo "FreeBSD port test completed successfully!"
 
       - name: Upload FreeBSD port files
         if: steps.check_diff.outputs.diff_exists == 'true'
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
         with:
           name: freebsd-port-files
           path: |
@@ -133,25 +124,26 @@ jobs:
     env:
       flags: ""
     steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0 # It is required for GoReleaser to work properly
-          persist-credentials: false
-
       - name: Parse semver string
         id: semver_parser
-        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
+        uses: booxmedialtd/ws-action-parse-semver@v1
+        with:
+          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
+          version_extractor_regex: '\/v(.*)$'
 
       - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
         run: echo "flags=--snapshot" >> $GITHUB_ENV
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # It is required for GoReleaser to work properly
       - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
           cache: false
       - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
         with:
           path: |
             ~/go/pkg/mod
@@ -164,18 +156,18 @@ jobs:
       - name: check git status
         run: git --no-pager diff --exit-code
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
+        uses: docker/setup-qemu-action@v2
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
+        uses: docker/setup-buildx-action@v2
       - name: Login to Docker hub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@v1
         with:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Log in to the GitHub container registry
         if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -199,7 +191,7 @@ jobs:
         run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
       - name: Run GoReleaser
         id: goreleaser
-        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
+        uses: goreleaser/goreleaser-action@v4
         with:
           version: ${{ env.GORELEASER_VER }}
           args: release --clean ${{ env.flags }}
@@ -290,28 +282,28 @@ jobs:
           } >> "$GITHUB_OUTPUT"
       - name: upload non tags for debug purposes
         id: upload_release
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
         with:
           name: release
           path: dist/
           retention-days: 7
       - name: upload linux packages
         id: upload_linux_packages
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
         with:
           name: linux-packages
           path: dist/netbird_linux**
           retention-days: 7
       - name: upload windows packages
         id: upload_windows_packages
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
         with:
           name: windows-packages
           path: dist/netbird_windows**
           retention-days: 7
       - name: upload macos packages
         id: upload_macos_packages
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
         with:
           name: macos-packages
           path: dist/netbird_darwin**
@@ -322,26 +314,27 @@ jobs:
     outputs:
       release_ui_artifact_url: ${{ steps.upload_release_ui.outputs.artifact-url }}
     steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0 # It is required for GoReleaser to work properly
-          persist-credentials: false
-
       - name: Parse semver string
         id: semver_parser
-        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
+        uses: booxmedialtd/ws-action-parse-semver@v1
+        with:
+          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
+          version_extractor_regex: '\/v(.*)$'
 
       - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
         run: echo "flags=--snapshot" >> $GITHUB_ENV
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # It is required for GoReleaser to work properly
 
       - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
           cache: false
       - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
         with:
           path: |
             ~/go/pkg/mod
@@ -382,7 +375,7 @@ jobs:
         run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_arm64.syso
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
+        uses: goreleaser/goreleaser-action@v4
         with:
           version: ${{ env.GORELEASER_VER }}
           args: release --config .goreleaser_ui.yaml --clean ${{ env.flags }}
@@ -411,7 +404,7 @@ jobs:
         run: rm -f /tmp/gpg-rpm-signing-key.asc
       - name: upload non tags for debug purposes
         id: upload_release_ui
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
         with:
           name: release-ui
           path: dist/
@@ -425,17 +418,16 @@ jobs:
       - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
         run: echo "flags=--snapshot" >> $GITHUB_ENV
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0 # It is required for GoReleaser to work properly
-          persist-credentials: false
       - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
           cache: false
       - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
         with:
           path: |
             ~/go/pkg/mod
@@ -449,7 +441,7 @@ jobs:
         run: git --no-pager diff --exit-code
       - name: Run GoReleaser
         id: goreleaser
-        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
+        uses: goreleaser/goreleaser-action@v4
         with:
           version: ${{ env.GORELEASER_VER }}
           args: release --config .goreleaser_ui_darwin.yaml --clean ${{ env.flags }}
@@ -457,7 +449,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: upload non tags for debug purposes
         id: upload_release_ui_darwin
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
         with:
           name: release-ui-darwin
           path: dist/
@@ -482,26 +474,27 @@ jobs:
       PackageWorkdir: netbird_windows_${{ matrix.arch }}
       downloadPath: '${{ github.workspace }}\temp'
     steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
       - name: Parse semver string
         id: semver_parser
-        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
+        uses: booxmedialtd/ws-action-parse-semver@v1
+        with:
+          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
+          version_extractor_regex: '\/v(.*)$'
+
+      - name: Checkout
+        uses: actions/checkout@v4
 
       - name: Add 7-Zip to PATH
         run: echo "C:\Program Files\7-Zip" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
 
       - name: Download release artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.1
+        uses: actions/download-artifact@v4
         with:
           name: release
           path: release
 
       - name: Download UI release artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.1
+        uses: actions/download-artifact@v4
         with:
           name: release-ui
           path: release-ui
@@ -521,27 +514,29 @@ jobs:
           Get-ChildItem $workdir
 
       - name: Download wintun
+        uses: carlosperate/download-file-action@v2
         id: download-wintun
-        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
         with:
-          url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
-          destination: ${{ env.downloadPath }}\wintun.zip
-          sha256: 07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51
+          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
+          file-name: wintun.zip
+          location: ${{ env.downloadPath }}
+          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
 
       - name: Decompress wintun files
-        run: tar -xvf "${{ env.downloadPath }}\wintun.zip" -C ${{ env.downloadPath }}
+        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
 
       - name: Move wintun.dll into dist
         run: mv ${{ env.downloadPath }}\wintun\bin\${{ matrix.wintun_arch }}\wintun.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\
 
       - name: Download Mesa3D (amd64 only)
+        uses: carlosperate/download-file-action@v2
         id: download-mesa3d
         if: matrix.arch == 'amd64'
-        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
         with:
-          url: https://pkgs.netbird.io/mesa3d/MesaForWindows-x64-20.1.8.7z
-          destination: ${{ env.downloadPath }}\mesa3d.7z
-          sha256: 71c7cb64ec229a1d6b8d62fa08e1889ed2bd17c0eeede8689daf0f25cb31d6b9
+          file-url: https://downloads.fdossena.com/Projects/Mesa3D/Builds/MesaForWindows-x64-20.1.8.7z
+          file-name: mesa3d.7z
+          location: ${{ env.downloadPath }}
+          sha256: '71c7cb64ec229a1d6b8d62fa08e1889ed2bd17c0eeede8689daf0f25cb31d6b9'
 
       - name: Extract Mesa3D driver (amd64 only)
         if: matrix.arch == 'amd64'
@@ -552,38 +547,35 @@ jobs:
         run: mv ${{ env.downloadPath }}\opengl32.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\
 
       - name: Download EnVar plugin for NSIS
-        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
+        uses: carlosperate/download-file-action@v2
         with:
-          url: https://pkgs.netbird.io/nsis/EnVar_plugin.zip
-          destination: ${{ github.workspace }}\envar_plugin.zip
-          sha256: e9aa92de351345ed82795251d838f1ae9041ba35af9d381a5780c7843b01f56a
+          file-url: https://nsis.sourceforge.io/mediawiki/images/7/7f/EnVar_plugin.zip
+          file-name: envar_plugin.zip
+          location: ${{ github.workspace }}
 
       - name: Extract EnVar plugin
         run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/envar_plugin.zip"
 
       - name: Download ShellExecAsUser plugin for NSIS (amd64 only)
+        uses: carlosperate/download-file-action@v2
         if: matrix.arch == 'amd64'
-        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
         with:
-          url: https://pkgs.netbird.io/nsis/ShellExecAsUser_amd64-Unicode.7z
-          destination: ${{ github.workspace }}\ShellExecAsUser_amd64-Unicode.7z
-          sha256: 0a55ea25c7330a92cec028eda8afcaf1b1a7092e0dfb77c21c8f654564b4ff9d
+          file-url: https://nsis.sourceforge.io/mediawiki/images/6/68/ShellExecAsUser_amd64-Unicode.7z
+          file-name: ShellExecAsUser_amd64-Unicode.7z
+          location: ${{ github.workspace }}
 
       - name: Extract ShellExecAsUser plugin (amd64 only)
         if: matrix.arch == 'amd64'
         run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/ShellExecAsUser_amd64-Unicode.7z"
 
       - name: Build NSIS installer
-        shell: pwsh
+        uses: joncloud/makensis-action@v3.3
+        with:
+          additional-plugin-paths: ${{ github.workspace }}/NSIS_Plugins/Plugins
+          script-file: client/installer.nsis
+          arguments: "/V4 /DARCH=${{ matrix.arch }}"
         env:
           APPVER: ${{ steps.semver_parser.outputs.major }}.${{ steps.semver_parser.outputs.minor }}.${{ steps.semver_parser.outputs.patch }}.${{ github.run_id }}
-        run: |
-          $nsisPluginDir = "C:\Program Files (x86)\NSIS\Plugins\x86-unicode"
-          $srcPlugins    = "${{ github.workspace }}\NSIS_Plugins\Plugins"
-          Get-ChildItem -Path $srcPlugins -Recurse -Filter *.dll |
-            Copy-Item -Destination $nsisPluginDir -Force
-          & "C:\Program Files (x86)\NSIS\makensis.exe" /V4 "/DARCH=${{ matrix.arch }}" client\installer.nsis
-          if ($LASTEXITCODE -ne 0) { throw "makensis failed with exit code $LASTEXITCODE" }
 
       - name: Rename NSIS installer
         run: mv netbird-installer.exe netbird_installer_test_windows_${{ matrix.arch }}.exe
@@ -600,7 +592,7 @@ jobs:
 
       - name: Upload installer artifacts
         if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
         with:
           name: windows-installer-test-${{ matrix.arch }}
           path: |
@@ -619,7 +611,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Create or update PR comment
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v7
         env:
           RELEASE_RESULT: ${{ needs.release.result }}
           RELEASE_UI_RESULT: ${{ needs.release_ui.result }}
@@ -711,7 +703,7 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/')
     steps:
       - name: Trigger binaries sign pipelines
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@v1
         with:
           workflow: Sign bin and installer
           repo: netbirdio/sign-pipelines

.github/workflows/sync-main.yml

@@ -14,9 +14,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Trigger main branch sync
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@v1
         with:
           workflow: sync-main.yml
           repo: ${{ secrets.UPSTREAM_REPO }}
           token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "sha": "${{ github.sha }}" }'
+          inputs: '{ "sha": "${{ github.sha }}" }'

.github/workflows/sync-tag.yml

@@ -3,7 +3,7 @@ name: sync tag
 on:
   push:
     tags:
-      - "v*"
+      - 'v*'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Trigger release tag sync
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@v1
         with:
           workflow: sync-tag.yml
           ref: main
@@ -29,7 +29,7 @@ jobs:
     if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
     steps:
       - name: Trigger android-client submodule bump
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
         with:
           workflow: bump-netbird.yml
           ref: main
@@ -42,10 +42,10 @@ jobs:
     if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
     steps:
       - name: Trigger ios-client submodule bump
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
         with:
           workflow: bump-netbird.yml
           ref: main
           repo: netbirdio/ios-client
           token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref_name }}" }'
+          inputs: '{ "tag": "${{ github.ref_name }}" }'

.github/workflows/test-infrastructure-files.yml

@@ -6,10 +6,10 @@ on:
       - main
   pull_request:
     paths:
-      - "infrastructure_files/**"
-      - ".github/workflows/test-infrastructure-files.yml"
-      - "management/cmd/**"
-      - "signal/cmd/**"
+      - 'infrastructure_files/**'
+      - '.github/workflows/test-infrastructure-files.yml'
+      - 'management/cmd/**'
+      - 'signal/cmd/**'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        store: ["sqlite", "postgres", "mysql"]
+        store: [ 'sqlite', 'postgres', 'mysql' ]
     services:
       postgres:
         image: ${{ (matrix.store == 'postgres') && 'postgres' || '' }}
@@ -68,17 +68,15 @@ jobs:
         run: sudo apt-get install -y curl
 
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
 
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
 
       - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -141,8 +139,8 @@ jobs:
           CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
           CI_NETBIRD_SIGNAL_PORT: 12345
           CI_NETBIRD_STORE_CONFIG_ENGINE: ${{ matrix.store }}
-          NETBIRD_STORE_ENGINE_POSTGRES_DSN: "${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}$"
-          NETBIRD_STORE_ENGINE_MYSQL_DSN: "${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$"
+          NETBIRD_STORE_ENGINE_POSTGRES_DSN: '${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}$'
+          NETBIRD_STORE_ENGINE_MYSQL_DSN: '${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$'
           CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
           CI_NETBIRD_TURN_EXTERNAL_IP: "1.2.3.4"
           CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY: false
@@ -256,9 +254,7 @@ jobs:
         run: sudo apt-get install -y jq
 
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
 
       - name: run script with Zitadel PostgreSQL
         run: NETBIRD_DOMAIN=use-ip bash -x infrastructure_files/getting-started-with-zitadel.sh

.github/workflows/update-docs.yml

@@ -3,9 +3,9 @@ name: update docs
 on:
   push:
     tags:
-      - "v*"
+      - 'v*'
     paths:
-      - "shared/management/http/api/openapi.yml"
+      - 'shared/management/http/api/openapi.yml'
 
 jobs:
   trigger_docs_api_update:
@@ -13,10 +13,10 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/')
     steps:
       - name: Trigger API pages generation
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@v1
         with:
           workflow: generate api pages
           repo: netbirdio/docs
           ref: "refs/heads/main"
           token: ${{ secrets.SIGN_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref }}" }'
+          inputs: '{ "tag": "${{ github.ref }}" }'

.github/workflows/wasm-build-validation.yml

@@ -19,17 +19,15 @@ jobs:
       GOARCH: wasm
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - name: Install dependencies
         run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
       - name: Install golangci-lint
-        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee #v9.2.1
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           version: latest
           install-mode: binary
@@ -44,11 +42,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
       - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - name: Build Wasm client
@@ -69,3 +65,4 @@ jobs:
             echo "Wasm binary size (${SIZE_MB}MB) exceeds 56MB limit!"
             exit 1
           fi
+

client/android/profile_manager.go

@@ -137,7 +137,7 @@ func (pm *ProfileManager) SwitchProfile(profileName string) error {
 // AddProfile creates a new profile
 func (pm *ProfileManager) AddProfile(profileName string) error {
 	// Use ServiceManager (creates profile in profiles/ directory)
-	if err := pm.serviceMgr.AddProfile(profileName, androidUsername); err != nil {
+	if err := pm.serviceMgr.AddProfile(profileName, androidUsername, nil); err != nil {
 		return fmt.Errorf("failed to add profile: %w", err)
 	}
 

client/cmd/owner.go

@@ -0,0 +1,84 @@
+package cmd
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+var ownerCmd = &cobra.Command{
+	Use:   "owner",
+	Short: "Manage daemon owner UIDs",
+	Long: `Manage the list of UIDs allowed to control the NetBird daemon.
+
+Owners are persisted in the active profile config and survive daemon restarts.
+The first call from the user logged in at the GUI / console session claims
+ownership automatically; these subcommands cover the rest of the lifecycle.`,
+}
+
+var ownerAddCmd = &cobra.Command{
+	Use:   "add <uid>",
+	Short: "Add a UID as an owner of the daemon",
+	Long: `Add a UID to the active profile's owner list. Requires root or an
+existing owner. Use this to grant another local user permanent access without
+having them log in at the console first.`,
+	Args: cobra.ExactArgs(1),
+	RunE: addOwnerFunc,
+}
+
+var ownerResetCmd = &cobra.Command{
+	Use:   "reset",
+	Short: "Clear the daemon's owner list",
+	Long: `Clear the active profile's owner list, returning the daemon to its
+unconfigured state. The next call from the active console-session user will
+re-claim ownership. Requires root.`,
+	RunE: resetOwnerFunc,
+}
+
+func addOwnerFunc(cmd *cobra.Command, args []string) error {
+	if err := setupCmd(cmd); err != nil {
+		return err
+	}
+
+	uid, err := strconv.ParseUint(args[0], 10, 32)
+	if err != nil {
+		return fmt.Errorf("parse uid %q: %w", args[0], err)
+	}
+
+	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
+	if err != nil {
+		return fmt.Errorf("connect to daemon: %w", err)
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	if _, err := client.AddOwner(cmd.Context(), &proto.AddOwnerRequest{Uid: uint32(uid)}); err != nil {
+		return fmt.Errorf("add owner: %w", err)
+	}
+
+	cmd.Printf("UID %d added as owner\n", uid)
+	return nil
+}
+
+func resetOwnerFunc(cmd *cobra.Command, _ []string) error {
+	if err := setupCmd(cmd); err != nil {
+		return err
+	}
+
+	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
+	if err != nil {
+		return fmt.Errorf("connect to daemon: %w", err)
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	if _, err := client.ResetOwner(cmd.Context(), &proto.ResetOwnerRequest{}); err != nil {
+		return fmt.Errorf("reset owner: %w", err)
+	}
+
+	cmd.Println("daemon owner list cleared; next call from the active console user will re-claim ownership")
+	return nil
+}

client/cmd/root.go

@@ -23,6 +23,7 @@ import (
 	"google.golang.org/grpc/credentials/insecure"
 
 	daddr "github.com/netbirdio/netbird/client/internal/daemonaddr"
+	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )
 
@@ -156,8 +157,12 @@ func init() {
 	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)
 	rootCmd.AddCommand(profileCmd)
+	rootCmd.AddCommand(ownerCmd)
 	rootCmd.AddCommand(exposeCmd)
 
+	ownerCmd.AddCommand(ownerAddCmd)
+	ownerCmd.AddCommand(ownerResetCmd)
+
 	networksCMD.AddCommand(routesListCmd)
 	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)
 
@@ -250,11 +255,24 @@ func DialClientGRPCServer(ctx context.Context, addr string) (*grpc.ClientConn, e
 	return grpc.DialContext(
 		ctx,
 		strings.TrimPrefix(addr, "tcp://"),
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		daemonDialTransportOption(addr),
 		grpc.WithBlock(),
 	)
 }
 
+// daemonDialTransportOption returns the appropriate transport credentials for connecting
+// to the daemon. On Unix socket platforms, uses Unix transport credentials so the server
+// can extract the caller's UID for owner verification. Otherwise, uses insecure credentials.
+func daemonDialTransportOption(addr string) grpc.DialOption {
+	if strings.HasPrefix(addr, "unix://") {
+		creds := owner.NewUnixTransportCredentials()
+		if creds != nil {
+			return grpc.WithTransportCredentials(creds)
+		}
+	}
+	return grpc.WithTransportCredentials(insecure.NewCredentials())
+}
+
 // WithBackOff execute function in backoff cycle.
 func WithBackOff(bf func() error) error {
 	return backoff.RetryNotify(bf, CLIBackOffSettings, func(err error, duration time.Duration) {

client/cmd/service_controller.go

@@ -16,6 +16,7 @@ import (
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"
 
+	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/server"
 	"github.com/netbirdio/netbird/client/system"
@@ -29,9 +30,6 @@ func (p *program) Start(svc service.Service) error {
 	// Collect static system and platform information
 	system.UpdateStaticInfoAsync()
 
-	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
-	p.serv = grpc.NewServer()
-
 	split := strings.Split(daemonAddr, "://")
 	switch split[0] {
 	case "unix":
@@ -47,6 +45,12 @@ func (p *program) Start(svc service.Service) error {
 		return fmt.Errorf("unsupported daemon address protocol: %v", split[0])
 	}
 
+	// Set up owner enforcement for Unix sockets.
+	configAdapter := &owner.ConfigAdapter{}
+	serverOpts := ownerServerOpts(split[0], configAdapter)
+
+	p.serv = grpc.NewServer(serverOpts...)
+
 	listen, err := net.Listen(split[0], split[1])
 	if err != nil {
 		return fmt.Errorf("listen daemon interface: %w", err)
@@ -65,6 +69,8 @@ func (p *program) Start(svc service.Service) error {
 		if err := serverInstance.Start(); err != nil {
 			log.Fatalf("failed to start daemon: %v", err)
 		}
+
+		configAdapter.SetBackend(serverInstance)
 		proto.RegisterDaemonServiceServer(p.serv, serverInstance)
 
 		p.serverInstanceMu.Lock()
@@ -79,6 +85,32 @@ func (p *program) Start(svc service.Service) error {
 	return nil
 }
 
+// ownerServerOpts returns gRPC server options for owner enforcement.
+// On Unix socket platforms, this includes transport credentials for peer credential
+// extraction and interceptors that check the caller's UID. On other platforms or TCP,
+// no owner enforcement is applied and a warning is logged so operators know the daemon
+// is running without per-user authorization.
+func ownerServerOpts(protocol string, configAdapter *owner.ConfigAdapter) []grpc.ServerOption {
+	if protocol != "unix" {
+		log.Warnf("daemon socket owner enforcement is not applied for protocol %q", protocol)
+		return nil
+	}
+
+	creds := owner.NewUnixTransportCredentials()
+	if creds == nil {
+		log.Warnf("daemon socket owner enforcement unavailable on this platform; daemon will accept any local connection")
+		return nil
+	}
+
+	interceptor := owner.NewInterceptor(configAdapter)
+
+	return []grpc.ServerOption{
+		grpc.Creds(creds),
+		grpc.ChainUnaryInterceptor(interceptor.UnaryInterceptor()),
+		grpc.ChainStreamInterceptor(interceptor.StreamInterceptor()),
+	}
+}
+
 func (p *program) Stop(srv service.Service) error {
 	p.serverInstanceMu.Lock()
 	if p.serverInstance != nil {

client/cmd/up.go

@@ -44,6 +44,9 @@ const (
 
 	profileNameFlag = "profile"
 	profileNameDesc = "profile name to use for the login. If not specified, the last used profile will be used."
+
+	claimOwnerFlag = "owner"
+	claimOwnerDesc = "claim owner privileges for this profile, restricting daemon control to the current user and root"
 )
 
 var (
@@ -54,6 +57,7 @@ var (
 	showQR             bool
 	profileName        string
 	configPath         string
+	claimOwner         bool
 
 	upCmd = &cobra.Command{
 		Use:   "up",
@@ -87,6 +91,7 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&showQR, showQRFlag, false, showQRDesc)
 	upCmd.PersistentFlags().StringVar(&profileName, profileNameFlag, "", profileNameDesc)
 	upCmd.PersistentFlags().StringVarP(&configPath, "config", "c", "", "(DEPRECATED) NetBird config file location. ")
+	upCmd.PersistentFlags().BoolVar(&claimOwner, claimOwnerFlag, false, claimOwnerDesc)
 
 }
 
@@ -331,6 +336,7 @@ func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServ
 	if _, err := client.Up(ctx, &proto.UpRequest{
 		ProfileName: &activeProf.Name,
 		Username:    &username,
+		ClaimOwner:  claimOwner,
 	}); err != nil {
 		return fmt.Errorf("call service up method: %v", err)
 	}

client/cmd/up_daemon_test.go

@@ -29,7 +29,7 @@ func TestUpDaemon(t *testing.T) {
 	}
 
 	sm := profilemanager.ServiceManager{}
-	err = sm.AddProfile("test1", currUser.Username)
+	err = sm.AddProfile("test1", currUser.Username, nil)
 	if err != nil {
 		t.Fatalf("failed to add profile: %v", err)
 		return

client/internal/auth/pkce_flow.go

@@ -360,13 +360,7 @@ func isRedirectURLPortUsed(redirectURL string, excludedRanges []excludedPortRang
 		return true
 	}
 
-	// FreeBSD 15 disables connecting to INADDR_ANY (0.0.0.0) as a localhost
-	// alias by default, ensure explicit ip for localhost.
-	host := parsedURL.Hostname()
-	if host == "" {
-		host = "127.0.0.1"
-	}
-	addr := net.JoinHostPort(host, port)
+	addr := fmt.Sprintf(":%s", port)
 	conn, err := net.DialTimeout("tcp", addr, 3*time.Second)
 	if err != nil {
 		return false

client/internal/owner/config.go

@@ -0,0 +1,46 @@
+package owner
+
+import (
+	"fmt"
+	"sync"
+)
+
+// ConfigAdapter is a thread-safe OwnerConfig that delegates to a lazily-set backend.
+// This allows the interceptor to be created before the daemon server (and its config)
+// is initialized, which is necessary because gRPC interceptors are set at server creation time.
+type ConfigAdapter struct {
+	mu      sync.RWMutex
+	backend OwnerConfig
+}
+
+// SetBackend sets the actual config implementation. Must be called before any RPCs are served.
+func (a *ConfigAdapter) SetBackend(backend OwnerConfig) {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	a.backend = backend
+}
+
+// GetOwnerUIDs delegates to the backend.
+func (a *ConfigAdapter) GetOwnerUIDs() []UID {
+	a.mu.RLock()
+	defer a.mu.RUnlock()
+
+	if a.backend == nil {
+		// No backend yet, return empty (root-only).
+		return []UID{}
+	}
+
+	return a.backend.GetOwnerUIDs()
+}
+
+// AddOwnerUID delegates to the backend.
+func (a *ConfigAdapter) AddOwnerUID(uid UID) error {
+	a.mu.RLock()
+	defer a.mu.RUnlock()
+
+	if a.backend == nil {
+		return fmt.Errorf("owner config backend not initialized")
+	}
+
+	return a.backend.AddOwnerUID(uid)
+}

client/internal/owner/consoleuser/consoleuser.go

@@ -0,0 +1,17 @@
+// Package consoleuser provides the OS-level "active console user" UID lookup
+// used to gate ownership TOFU. The active console user is the local user
+// physically at the machine (or in the foreground GUI session): the user that
+// can legitimately claim the daemon as theirs on first run.
+package consoleuser
+
+// ActiveUID returns the UID of the currently active console / GUI session
+// user, and true if such a user exists. Returns 0, false on platforms without
+// a console concept (ios, android), on headless servers with no active
+// session, or on lookup failure.
+//
+// Implementations must fail closed: any error or ambiguity returns (0, false)
+// so that the caller treats the result as "no console user" rather than
+// granting access to an unverified UID.
+func ActiveUID() (uint32, bool) {
+	return activeUID()
+}

client/internal/owner/consoleuser/consoleuser_darwin.go

@@ -0,0 +1,58 @@
+package consoleuser
+
+import (
+	"unsafe"
+
+	"github.com/ebitengine/purego"
+)
+
+// activeUID returns the UID of the user currently logged into the macOS GUI
+// console session. Uses SCDynamicStoreCopyConsoleUser from the
+// SystemConfiguration framework via purego (no cgo).
+func activeUID() (uint32, bool) {
+	sc, err := purego.Dlopen(
+		"/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration",
+		purego.RTLD_NOW|purego.RTLD_GLOBAL,
+	)
+	if err != nil {
+		return 0, false
+	}
+
+	cf, err := purego.Dlopen(
+		"/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation",
+		purego.RTLD_NOW|purego.RTLD_GLOBAL,
+	)
+	if err != nil {
+		return 0, false
+	}
+
+	// CFStringRef SCDynamicStoreCopyConsoleUser(SCDynamicStoreRef store,
+	//     uid_t *uid, gid_t *gid);
+	//
+	// We pass nil for the store (NULL is accepted; the framework creates a
+	// transient one), discard the returned CFStringRef username (we only
+	// need the UID), and read uid via the out-pointer.
+	var copyConsoleUser func(store uintptr, uidPtr, gidPtr unsafe.Pointer) uintptr
+	purego.RegisterLibFunc(&copyConsoleUser, sc, "SCDynamicStoreCopyConsoleUser")
+
+	var cfRelease func(uintptr)
+	purego.RegisterLibFunc(&cfRelease, cf, "CFRelease")
+
+	var uid uint32
+	var gid uint32
+
+	cfStr := copyConsoleUser(0, unsafe.Pointer(&uid), unsafe.Pointer(&gid))
+	if cfStr == 0 {
+		return 0, false
+	}
+	cfRelease(cfStr)
+
+	// loginwindow / no GUI session reports uid 0. We don't want the
+	// console-user path to grant anything to root (root is already always
+	// allowed by the interceptor), so treat uid 0 as "no console user".
+	if uid == 0 {
+		return 0, false
+	}
+
+	return uid, true
+}

client/internal/owner/consoleuser/consoleuser_freebsd.go

@@ -0,0 +1,34 @@
+package consoleuser
+
+import (
+	"fmt"
+	"os"
+	"syscall"
+)
+
+// activeUID returns the UID of the user currently logged into the FreeBSD
+// console. FreeBSD's vt(4) chowns the active virtual terminal device to the
+// logged-in user, so a non-root owner of any /dev/ttyvN reliably identifies
+// the console user.
+//
+// We scan /dev/ttyv0../dev/ttyv9 and return the first non-root owner. Network
+// ptys (pts) are intentionally not considered: SSH'd users are not "at the
+// console" and must not TOFU-claim ownership.
+func activeUID() (uint32, bool) {
+	for i := 0; i < 10; i++ {
+		path := fmt.Sprintf("/dev/ttyv%d", i)
+		fi, err := os.Stat(path)
+		if err != nil {
+			continue
+		}
+		st, ok := fi.Sys().(*syscall.Stat_t)
+		if !ok {
+			continue
+		}
+		if st.Uid == 0 {
+			continue
+		}
+		return st.Uid, true
+	}
+	return 0, false
+}

client/internal/owner/consoleuser/consoleuser_linux.go

@@ -0,0 +1,64 @@
+package consoleuser
+
+import (
+	"github.com/godbus/dbus/v5"
+)
+
+const (
+	loginDest      = "org.freedesktop.login1"
+	loginPath      = dbus.ObjectPath("/org/freedesktop/login1")
+	loginInterface = "org.freedesktop.login1.Manager"
+	listSessions   = loginInterface + ".ListSessions"
+
+	sessionInterface = "org.freedesktop.login1.Session"
+	sessionActive    = sessionInterface + ".Active"
+	sessionClass     = sessionInterface + ".Class"
+)
+
+// activeUID queries systemd-logind for the active local user session and
+// returns that user's UID. Falls back to (0, false) on any error or when no
+// active user session exists (headless box, no GUI, no login at the console).
+func activeUID() (uint32, bool) {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return 0, false
+	}
+
+	mgr := conn.Object(loginDest, loginPath)
+
+	// ListSessions returns []struct{ID string; UID uint32; User string;
+	// Seat string; Path dbus.ObjectPath}.
+	var sessions []struct {
+		ID   string
+		UID  uint32
+		User string
+		Seat string
+		Path dbus.ObjectPath
+	}
+	if err := mgr.Call(listSessions, 0).Store(&sessions); err != nil {
+		return 0, false
+	}
+
+	for _, s := range sessions {
+		obj := conn.Object(loginDest, s.Path)
+
+		active, err := obj.GetProperty(sessionActive)
+		if err != nil || active.Value() != true {
+			continue
+		}
+
+		class, err := obj.GetProperty(sessionClass)
+		if err != nil {
+			continue
+		}
+		// Only "user" sessions count; "greeter" / "lock-screen" / etc. are
+		// not someone we should grant ownership to.
+		if classStr, ok := class.Value().(string); !ok || classStr != "user" {
+			continue
+		}
+
+		return s.UID, true
+	}
+
+	return 0, false
+}

client/internal/owner/consoleuser/consoleuser_other.go

@@ -0,0 +1,9 @@
+//go:build !linux && !darwin && !freebsd && !windows
+
+package consoleuser
+
+// activeUID has no meaning on platforms without a console-user concept
+// (ios, android). Returns no-user so TOFU never fires.
+func activeUID() (uint32, bool) {
+	return 0, false
+}

client/internal/owner/consoleuser/consoleuser_windows.go

@@ -0,0 +1,59 @@
+package consoleuser
+
+import (
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+// activeUID returns a synthetic UID (the user SID's RID) for the currently
+// active Windows console session. The owner package treats UIDs as opaque
+// uint32 identifiers; on Windows we use the user account RID, which is stable
+// per-account on a given machine.
+//
+// Returns (0, false) when there is no active console session, the session has
+// no logged-in user, or any lookup fails.
+func activeUID() (uint32, bool) {
+	sessionID := windows.WTSGetActiveConsoleSessionId()
+	if sessionID == 0xFFFFFFFF {
+		return 0, false
+	}
+
+	var token windows.Token
+	if err := windows.WTSQueryUserToken(sessionID, &token); err != nil {
+		return 0, false
+	}
+	defer token.Close()
+
+	user, err := tokenUserSID(token)
+	if err != nil || user == nil {
+		return 0, false
+	}
+
+	subCount := user.SubAuthorityCount()
+	if subCount == 0 {
+		return 0, false
+	}
+	rid := user.SubAuthority(uint32(subCount) - 1)
+	if rid == 0 {
+		return 0, false
+	}
+	return rid, true
+}
+
+// tokenUserSID returns the user SID associated with the given access token.
+func tokenUserSID(token windows.Token) (*windows.SID, error) {
+	var size uint32
+	err := windows.GetTokenInformation(token, windows.TokenUser, nil, 0, &size)
+	if err != windows.ERROR_INSUFFICIENT_BUFFER {
+		return nil, err
+	}
+
+	buf := make([]byte, size)
+	if err := windows.GetTokenInformation(token, windows.TokenUser, &buf[0], size, &size); err != nil {
+		return nil, err
+	}
+
+	tu := (*windows.Tokenuser)(unsafe.Pointer(&buf[0]))
+	return tu.User.Sid, nil
+}

client/internal/owner/creds.go

@@ -0,0 +1,37 @@
+package owner
+
+import (
+	"context"
+
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/peer"
+)
+
+// UnixAuthInfo implements credentials.AuthInfo carrying the peer's UID from SO_PEERCRED.
+type UnixAuthInfo struct {
+	credentials.CommonAuthInfo
+	UID UID
+	GID uint32
+	PID int32
+}
+
+// AuthType returns the authentication type.
+func (u UnixAuthInfo) AuthType() string {
+	return "unix_peercred"
+}
+
+// UIDFromContext extracts the caller's UID from the gRPC peer context.
+// Returns uid and true if Unix credentials were available, 0 and false otherwise.
+func UIDFromContext(ctx context.Context) (UID, bool) {
+	p, ok := peer.FromContext(ctx)
+	if !ok {
+		return 0, false
+	}
+
+	info, ok := p.AuthInfo.(UnixAuthInfo)
+	if !ok {
+		return 0, false
+	}
+
+	return info.UID, true
+}

client/internal/owner/env.go

@@ -0,0 +1,48 @@
+package owner
+
+import (
+	"os"
+	"strconv"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// EnvOwnerUID is the environment variable that seeds the owner UID list for new config files.
+// MDM deployments can set this (e.g. via --service-env NB_OWNER_UID=1000) so the first
+// config created by the daemon pre-populates the owner without requiring "netbird up --owner".
+// Multiple UIDs can be comma-separated: NB_OWNER_UID=1000,1001
+const EnvOwnerUID = "NB_OWNER_UID"
+
+// OwnerUIDsFromEnv parses NB_OWNER_UID into a UID slice.
+// Returns nil if the variable is unset, allowing the caller to distinguish
+// "not configured" from "explicitly empty".
+func OwnerUIDsFromEnv() []UID {
+	val := os.Getenv(EnvOwnerUID)
+	if val == "" {
+		return nil
+	}
+
+	parts := strings.Split(val, ",")
+	uids := make([]UID, 0, len(parts))
+	for _, p := range parts {
+		p = strings.TrimSpace(p)
+		if p == "" {
+			continue
+		}
+		uid, err := strconv.ParseUint(p, 10, 32)
+		if err != nil {
+			log.Warnf("ignoring invalid UID %q in %s: %v", p, EnvOwnerUID, err)
+			continue
+		}
+		uids = append(uids, UID(uid))
+	}
+
+	if len(uids) == 0 {
+		log.Warnf("%s set but contains no valid UIDs, defaulting to root-only", EnvOwnerUID)
+		return []UID{}
+	}
+
+	log.Infof("seeding owner UIDs from %s: %v", EnvOwnerUID, uids)
+	return uids
+}

client/internal/owner/env_test.go

@@ -0,0 +1,81 @@
+package owner
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestOwnerUIDsFromEnv(t *testing.T) {
+	tests := []struct {
+		name     string
+		envValue string
+		unset    bool
+		want     []UID
+	}{
+		{
+			name:  "unset returns nil",
+			unset: true,
+			want:  nil,
+		},
+		{
+			name:     "empty string returns nil",
+			envValue: "",
+			want:     nil,
+		},
+		{
+			name:     "single UID",
+			envValue: "1000",
+			want:     []UID{1000},
+		},
+		{
+			name:     "multiple UIDs",
+			envValue: "1000,1001,1002",
+			want:     []UID{1000, 1001, 1002},
+		},
+		{
+			name:     "spaces around UIDs",
+			envValue: " 1000 , 1001 ",
+			want:     []UID{1000, 1001},
+		},
+		{
+			name:     "invalid UID skipped",
+			envValue: "1000,notanumber,1001",
+			want:     []UID{1000, 1001},
+		},
+		{
+			name:     "all invalid returns empty slice",
+			envValue: "abc,def",
+			want:     []UID{},
+		},
+		{
+			name:     "trailing comma",
+			envValue: "1000,",
+			want:     []UID{1000},
+		},
+		{
+			name:     "zero UID is valid",
+			envValue: "0",
+			want:     []UID{0},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Setenv(EnvOwnerUID, tt.envValue)
+			if tt.unset {
+				os.Unsetenv(EnvOwnerUID)
+			}
+
+			got := OwnerUIDsFromEnv()
+
+			if tt.want == nil {
+				require.Nil(t, got)
+			} else {
+				assert.Equal(t, tt.want, got)
+			}
+		})
+	}
+}

client/internal/owner/interceptor.go

@@ -0,0 +1,170 @@
+package owner
+
+import (
+	"context"
+	"slices"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/internal/owner/consoleuser"
+)
+
+const servicePath = "/daemon.DaemonService/"
+
+// profileBypassMethods skip the active-profile owner check. They either
+// operate on a specific target profile (and the handler enforces target-profile
+// owner-or-root itself) or are per-user listings/creations that don't affect
+// the active session and shouldn't require active-profile ownership. Peer
+// credentials are still required.
+var profileBypassMethods = map[string]bool{
+	servicePath + "AddProfile":    true,
+	servicePath + "ListProfiles":  true,
+	servicePath + "RemoveProfile": true,
+	servicePath + "SwitchProfile": true,
+}
+
+// Error messages returned to denied callers. They are multi-line so the
+// suggested commands sit on their own line for easy triple-click copy-paste.
+const (
+	errNoPeerCreds = "peer credentials unavailable; rerun via the netbird CLI"
+
+	errNoOwnerConfigured = `no daemon owner is configured and no console-session user matches your UID.
+Run as root for one-off use:
+    sudo netbird ...
+Or call from the active console session: the first call from the user logged in
+at the GUI/console claims ownership automatically.`
+
+	errOwnerRequired = `this operation requires root or the daemon owner (uid %d is not an owner).
+Run as root for one-off use:
+    sudo netbird ...
+Or ask an existing owner (or root) to add you:
+    sudo netbird owner add %[1]d`
+)
+
+// consoleUIDLookup is the function used to look up the active console UID.
+// Overridable in tests; defaults to the platform implementation.
+var consoleUIDLookup = consoleuser.ActiveUID
+
+// OwnerConfig provides access to the current owner UIDs setting.
+// The interceptor reads and writes through this interface so it can
+// work with the profile manager's config without a direct dependency.
+type OwnerConfig interface {
+	// GetOwnerUIDs returns the current owner UIDs.
+	// nil means legacy/migration TOFU (field absent from existing config).
+	// empty means fresh install (root-only with console-user TOFU exception).
+	// populated means those UIDs plus root may control the daemon.
+	GetOwnerUIDs() []UID
+
+	// AddOwnerUID adds the given UID to the owner list and persists it.
+	AddOwnerUID(uid UID) error
+}
+
+// Interceptor enforces owner restrictions on the daemon gRPC socket.
+type Interceptor struct {
+	config OwnerConfig
+	// mu serializes the read-then-write of OwnerUIDs during TOFU/claim flows
+	// so two concurrent first-callers can't both end up persisted as owners.
+	// Holds across the OwnerConfig.AddOwnerUID call; safe because no callback
+	// path takes this mutex.
+	mu sync.Mutex
+}
+
+// NewInterceptor creates an owner interceptor backed by the given config.
+func NewInterceptor(config OwnerConfig) *Interceptor {
+	return &Interceptor{config: config}
+}
+
+// UnaryInterceptor returns a gRPC unary server interceptor that enforces owner policy.
+func (i *Interceptor) UnaryInterceptor() grpc.UnaryServerInterceptor {
+	return func(
+		ctx context.Context,
+		req any,
+		info *grpc.UnaryServerInfo,
+		handler grpc.UnaryHandler,
+	) (any, error) {
+		if err := i.authorize(ctx, info.FullMethod); err != nil {
+			return nil, err
+		}
+		return handler(ctx, req)
+	}
+}
+
+// StreamInterceptor returns a gRPC stream server interceptor that enforces owner policy.
+func (i *Interceptor) StreamInterceptor() grpc.StreamServerInterceptor {
+	return func(
+		srv any,
+		ss grpc.ServerStream,
+		info *grpc.StreamServerInfo,
+		handler grpc.StreamHandler,
+	) error {
+		if err := i.authorize(ss.Context(), info.FullMethod); err != nil {
+			return err
+		}
+		return handler(srv, ss)
+	}
+}
+
+// authorize checks whether the caller is allowed to call the given method.
+// Every RPC is gated; root is always allowed. Non-root callers are accepted
+// when they are existing owners, when the config is in legacy TOFU state
+// (claim on first call, preserves pre-enforcement behavior), or when the
+// config is in fresh-install state and they match the active console user.
+func (i *Interceptor) authorize(ctx context.Context, fullMethod string) error {
+	uid, ok := UIDFromContext(ctx)
+	if !ok {
+		return status.Error(codes.PermissionDenied, errNoPeerCreds)
+	}
+
+	if uid == 0 {
+		return nil
+	}
+
+	// Profile-management RPCs do their own per-target authorization in the
+	// handler. The interceptor only confirms peer credentials are present.
+	if profileBypassMethods[fullMethod] {
+		return nil
+	}
+
+	i.mu.Lock()
+	defer i.mu.Unlock()
+
+	ownerUIDs := i.config.GetOwnerUIDs()
+
+	switch {
+	case ownerUIDs == nil:
+		// Legacy / migration TOFU: existing pre-enforcement config has no
+		// owners field. Any non-root local caller claims on first call so
+		// upgrades don't break.
+		return i.claim(uid, "migration TOFU")
+
+	case len(ownerUIDs) == 0:
+		// Fresh-install root-only mode with a console-user exception so the
+		// GUI/CLI just works for the user physically at the machine. SSH'd
+		// or otherwise non-console callers are denied.
+		consoleUID, ok := consoleUIDLookup()
+		if ok && uint32(uid) == consoleUID {
+			return i.claim(uid, "console-user TOFU")
+		}
+		return status.Error(codes.PermissionDenied, errNoOwnerConfigured)
+
+	case slices.Contains(ownerUIDs, uid):
+		return nil
+
+	default:
+		return status.Errorf(codes.PermissionDenied, errOwnerRequired, uid)
+	}
+}
+
+// claim adds uid to the owner list and persists it. The caller must hold i.mu.
+func (i *Interceptor) claim(uid UID, reason string) error {
+	log.Infof("%s: claiming owner for UID %d", reason, uid)
+	if err := i.config.AddOwnerUID(uid); err != nil {
+		log.Errorf("persist owner UID: %v", err)
+		return status.Error(codes.Internal, "persist owner UID")
+	}
+	return nil
+}

client/internal/owner/interceptor_test.go

@@ -0,0 +1,277 @@
+package owner
+
+import (
+	"context"
+	"net"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/peer"
+	"google.golang.org/grpc/status"
+)
+
+type mockOwnerConfig struct {
+	uids []UID
+	err  error
+}
+
+func (m *mockOwnerConfig) GetOwnerUIDs() []UID {
+	return m.uids
+}
+
+func (m *mockOwnerConfig) AddOwnerUID(uid UID) error {
+	if m.err != nil {
+		return m.err
+	}
+	m.uids = append(m.uids, uid)
+	return nil
+}
+
+func peerContext(uid UID) context.Context {
+	return peer.NewContext(context.Background(), &peer.Peer{
+		Addr: &net.UnixAddr{Name: "/tmp/test.sock", Net: "unix"},
+		AuthInfo: UnixAuthInfo{
+			CommonAuthInfo: credentials.CommonAuthInfo{SecurityLevel: credentials.NoSecurity},
+			UID:            uid,
+		},
+	})
+}
+
+func noPeerContext() context.Context {
+	return context.Background()
+}
+
+// withConsoleUID overrides the platform console-user lookup for a single test.
+func withConsoleUID(t *testing.T, uid uint32, ok bool) {
+	t.Helper()
+	prev := consoleUIDLookup
+	consoleUIDLookup = func() (uint32, bool) { return uid, ok }
+	t.Cleanup(func() { consoleUIDLookup = prev })
+}
+
+func TestInterceptor_RootAlwaysAllowed(t *testing.T) {
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	for _, method := range []string{
+		"/daemon.DaemonService/Up",
+		"/daemon.DaemonService/Status",
+		"/daemon.DaemonService/Down",
+	} {
+		err := interceptor.authorize(peerContext(0), method)
+		assert.NoError(t, err, "root should always be allowed for %s", method)
+	}
+}
+
+func TestInterceptor_NoPeerCreds_AlwaysDenies(t *testing.T) {
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	for _, method := range []string{
+		"/daemon.DaemonService/Status",
+		"/daemon.DaemonService/Up",
+		"/daemon.DaemonService/SomeNewMethod",
+	} {
+		err := interceptor.authorize(noPeerContext(), method)
+		require.Error(t, err, "method %s should be denied without peer creds", method)
+		assert.Equal(t, codes.PermissionDenied, status.Code(err))
+	}
+}
+
+// TestInterceptor_LegacyMigration covers the nil-OwnerUIDs branch:
+// pre-enforcement configs upgraded to this version. Any non-root local caller
+// can claim on first call.
+func TestInterceptor_LegacyMigration_AnyCallerClaims(t *testing.T) {
+	withConsoleUID(t, 0, false) // no console; should not matter for nil
+	cfg := &mockOwnerConfig{uids: nil}
+	interceptor := NewInterceptor(cfg)
+
+	// First call from any UID claims regardless of method.
+	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Status")
+	require.NoError(t, err)
+	require.Equal(t, []UID{1000}, cfg.uids)
+
+	// After claim, a different UID is denied.
+	err = interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Status")
+	require.Error(t, err)
+	assert.Equal(t, codes.PermissionDenied, status.Code(err))
+}
+
+// TestInterceptor_FreshInstall covers the empty-OwnerUIDs branch: console-user
+// can claim, others denied.
+func TestInterceptor_FreshInstall_ConsoleUserClaims(t *testing.T) {
+	withConsoleUID(t, 1000, true)
+	cfg := &mockOwnerConfig{uids: []UID{}}
+	interceptor := NewInterceptor(cfg)
+
+	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Status")
+	require.NoError(t, err)
+	require.Equal(t, []UID{1000}, cfg.uids)
+}
+
+func TestInterceptor_FreshInstall_NonConsoleDenied(t *testing.T) {
+	withConsoleUID(t, 1000, true)
+	cfg := &mockOwnerConfig{uids: []UID{}}
+	interceptor := NewInterceptor(cfg)
+
+	err := interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Up")
+	require.Error(t, err)
+	assert.Equal(t, codes.PermissionDenied, status.Code(err))
+	assert.Empty(t, cfg.uids, "non-console caller must not claim")
+}
+
+func TestInterceptor_FreshInstall_NoConsole_Denied(t *testing.T) {
+	withConsoleUID(t, 0, false)
+	cfg := &mockOwnerConfig{uids: []UID{}}
+	interceptor := NewInterceptor(cfg)
+
+	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Up")
+	require.Error(t, err)
+	assert.Equal(t, codes.PermissionDenied, status.Code(err))
+}
+
+func TestInterceptor_OwnerUID_AllowsOwner(t *testing.T) {
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Down")
+	assert.NoError(t, err)
+}
+
+func TestInterceptor_OwnerUID_DeniesOther(t *testing.T) {
+	withConsoleUID(t, 9999, true) // console-user TOFU should not apply once owners exist
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	err := interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Down")
+	require.Error(t, err)
+	assert.Equal(t, codes.PermissionDenied, status.Code(err))
+}
+
+func TestInterceptor_MultipleOwners(t *testing.T) {
+	cfg := &mockOwnerConfig{uids: []UID{1000, 2000}}
+	interceptor := NewInterceptor(cfg)
+
+	err := interceptor.authorize(peerContext(1000), "/daemon.DaemonService/Down")
+	assert.NoError(t, err)
+
+	err = interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Up")
+	assert.NoError(t, err)
+
+	err = interceptor.authorize(peerContext(3000), "/daemon.DaemonService/Down")
+	require.Error(t, err)
+	assert.Equal(t, codes.PermissionDenied, status.Code(err))
+}
+
+// TestInterceptor_UnknownMethodRequiresOwner pins the safe-by-default invariant:
+// any future RPC still goes through owner enforcement.
+func TestInterceptor_UnknownMethodRequiresOwner(t *testing.T) {
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	err := interceptor.authorize(peerContext(2000), "/daemon.DaemonService/SomeFutureMethod")
+	require.Error(t, err)
+	assert.Equal(t, codes.PermissionDenied, status.Code(err))
+
+	err = interceptor.authorize(peerContext(1000), "/daemon.DaemonService/SomeFutureMethod")
+	assert.NoError(t, err)
+}
+
+func TestInterceptor_ErrorMessageActionable(t *testing.T) {
+	withConsoleUID(t, 9999, true)
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	err := interceptor.authorize(peerContext(2000), "/daemon.DaemonService/Down")
+	require.Error(t, err)
+	msg := status.Convert(err).Message()
+	assert.Contains(t, msg, "sudo netbird")
+	assert.Contains(t, msg, "owner add")
+}
+
+func TestInterceptor_UnaryIntegration(t *testing.T) {
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	unary := interceptor.UnaryInterceptor()
+
+	resp, err := unary(peerContext(1000), nil, &grpc.UnaryServerInfo{FullMethod: "/daemon.DaemonService/Down"}, func(ctx context.Context, req any) (any, error) {
+		return "ok", nil
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "ok", resp)
+
+	_, err = unary(peerContext(2000), nil, &grpc.UnaryServerInfo{FullMethod: "/daemon.DaemonService/Down"}, func(ctx context.Context, req any) (any, error) {
+		t.Fatal("handler should not be called")
+		return nil, nil
+	})
+	require.Error(t, err)
+	assert.Equal(t, codes.PermissionDenied, status.Code(err))
+}
+
+func TestInterceptor_StreamIntegration(t *testing.T) {
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	stream := interceptor.StreamInterceptor()
+
+	called := false
+	err := stream(nil, &mockServerStream{ctx: peerContext(1000)},
+		&grpc.StreamServerInfo{FullMethod: "/daemon.DaemonService/SubscribeEvents"},
+		func(srv any, stream grpc.ServerStream) error {
+			called = true
+			return nil
+		})
+	require.NoError(t, err)
+	assert.True(t, called)
+
+	err = stream(nil, &mockServerStream{ctx: peerContext(2000)},
+		&grpc.StreamServerInfo{FullMethod: "/daemon.DaemonService/SubscribeEvents"},
+		func(srv any, stream grpc.ServerStream) error {
+			t.Fatal("handler should not be called")
+			return nil
+		})
+	require.Error(t, err)
+	assert.Equal(t, codes.PermissionDenied, status.Code(err))
+}
+
+type mockServerStream struct {
+	grpc.ServerStream
+	ctx context.Context
+}
+
+func (m *mockServerStream) Context() context.Context { return m.ctx }
+
+// TestInterceptor_ProfileBypass pins that profile-management methods reach
+// the handler regardless of active-profile ownership; the handler enforces
+// per-target-profile auth itself.
+func TestInterceptor_ProfileBypass(t *testing.T) {
+	cfg := &mockOwnerConfig{uids: []UID{1000}}
+	interceptor := NewInterceptor(cfg)
+
+	// Caller UID 2000 is not an owner of the active profile but must be
+	// allowed through for these methods.
+	for _, method := range []string{
+		"/daemon.DaemonService/AddProfile",
+		"/daemon.DaemonService/ListProfiles",
+		"/daemon.DaemonService/RemoveProfile",
+		"/daemon.DaemonService/SwitchProfile",
+	} {
+		err := interceptor.authorize(peerContext(2000), method)
+		assert.NoError(t, err, "profile method %s should bypass active-owner check", method)
+	}
+
+	// Without peer creds, even bypass methods are denied.
+	for _, method := range []string{
+		"/daemon.DaemonService/AddProfile",
+		"/daemon.DaemonService/SwitchProfile",
+	} {
+		err := interceptor.authorize(noPeerContext(), method)
+		require.Error(t, err, "bypass method %s still requires peer creds", method)
+		assert.Equal(t, codes.PermissionDenied, status.Code(err))
+	}
+}

client/internal/owner/transport_bsd.go

@@ -0,0 +1,66 @@
+//go:build darwin || freebsd
+
+package owner
+
+import (
+	"context"
+	"fmt"
+	"net"
+
+	"golang.org/x/sys/unix"
+	"google.golang.org/grpc/credentials"
+)
+
+// NewUnixTransportCredentials returns gRPC TransportCredentials that extract
+// peer UID from Unix socket connections via LOCAL_PEERCRED (Xucred).
+func NewUnixTransportCredentials() credentials.TransportCredentials {
+	return &unixCreds{}
+}
+
+type unixCreds struct{}
+
+func (c *unixCreds) ClientHandshake(_ context.Context, _ string, conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
+	return conn, UnixAuthInfo{}, nil
+}
+
+// ServerHandshake extracts peer credentials from the Unix connection using LOCAL_PEERCRED.
+// Returns an error if credentials cannot be extracted (fail-closed).
+func (c *unixCreds) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
+	uc, ok := conn.(*net.UnixConn)
+	if !ok {
+		return nil, nil, fmt.Errorf("expected *net.UnixConn, got %T", conn)
+	}
+
+	raw, err := uc.SyscallConn()
+	if err != nil {
+		return nil, nil, fmt.Errorf("get raw conn for peer credentials: %w", err)
+	}
+
+	var xucred *unix.Xucred
+	var credErr error
+	if err := raw.Control(func(fd uintptr) {
+		xucred, credErr = unix.GetsockoptXucred(int(fd), unix.SOL_LOCAL, unix.LOCAL_PEERCRED)
+	}); err != nil {
+		return nil, nil, fmt.Errorf("control raw conn for peer credentials: %w", err)
+	}
+	if credErr != nil {
+		return nil, nil, fmt.Errorf("get peer credentials: %w", credErr)
+	}
+
+	return conn, UnixAuthInfo{
+		CommonAuthInfo: credentials.CommonAuthInfo{SecurityLevel: credentials.NoSecurity},
+		UID:            UID(xucred.Uid),
+	}, nil
+}
+
+func (c *unixCreds) Info() credentials.ProtocolInfo {
+	return credentials.ProtocolInfo{SecurityProtocol: "unix_peercred"}
+}
+
+func (c *unixCreds) Clone() credentials.TransportCredentials {
+	return &unixCreds{}
+}
+
+func (c *unixCreds) OverrideServerName(_ string) error {
+	return nil
+}

client/internal/owner/transport_generic.go

@@ -0,0 +1,11 @@
+//go:build !linux && !darwin && !freebsd
+
+package owner
+
+import "google.golang.org/grpc/credentials"
+
+// NewUnixTransportCredentials returns nil on platforms without Unix socket peer credentials.
+// The daemon should use insecure credentials and skip owner enforcement.
+func NewUnixTransportCredentials() credentials.TransportCredentials {
+	return nil
+}

client/internal/owner/transport_linux.go

@@ -0,0 +1,66 @@
+package owner
+
+import (
+	"context"
+	"fmt"
+	"net"
+
+	"golang.org/x/sys/unix"
+	"google.golang.org/grpc/credentials"
+)
+
+// NewUnixTransportCredentials returns gRPC TransportCredentials that extract
+// peer UID/GID/PID from Unix socket connections via SO_PEERCRED.
+func NewUnixTransportCredentials() credentials.TransportCredentials {
+	return &unixCreds{}
+}
+
+type unixCreds struct{}
+
+func (c *unixCreds) ClientHandshake(_ context.Context, _ string, conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
+	return conn, UnixAuthInfo{}, nil
+}
+
+// ServerHandshake extracts peer credentials from the Unix connection.
+// Returns an error if credentials cannot be extracted (fail-closed).
+func (c *unixCreds) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
+	uc, ok := conn.(*net.UnixConn)
+	if !ok {
+		return nil, nil, fmt.Errorf("expected *net.UnixConn, got %T", conn)
+	}
+
+	raw, err := uc.SyscallConn()
+	if err != nil {
+		return nil, nil, fmt.Errorf("get raw conn for peer credentials: %w", err)
+	}
+
+	var ucred *unix.Ucred
+	var credErr error
+	if err := raw.Control(func(fd uintptr) {
+		ucred, credErr = unix.GetsockoptUcred(int(fd), unix.SOL_SOCKET, unix.SO_PEERCRED)
+	}); err != nil {
+		return nil, nil, fmt.Errorf("control raw conn for peer credentials: %w", err)
+	}
+	if credErr != nil {
+		return nil, nil, fmt.Errorf("get peer credentials: %w", credErr)
+	}
+
+	return conn, UnixAuthInfo{
+		CommonAuthInfo: credentials.CommonAuthInfo{SecurityLevel: credentials.NoSecurity},
+		UID:            UID(ucred.Uid),
+		GID:            ucred.Gid,
+		PID:            ucred.Pid,
+	}, nil
+}
+
+func (c *unixCreds) Info() credentials.ProtocolInfo {
+	return credentials.ProtocolInfo{SecurityProtocol: "unix_peercred"}
+}
+
+func (c *unixCreds) Clone() credentials.TransportCredentials {
+	return &unixCreds{}
+}
+
+func (c *unixCreds) OverrideServerName(_ string) error {
+	return nil
+}

client/internal/owner/transport_test.go

@@ -0,0 +1,107 @@
+package owner
+
+import (
+	"net"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/credentials"
+)
+
+func TestUnixTransportCredentials_ServerHandshake(t *testing.T) {
+	creds := NewUnixTransportCredentials()
+	if creds == nil {
+		t.Skip("unix transport credentials not supported on this platform")
+	}
+
+	sockPath := filepath.Join(t.TempDir(), "test.sock")
+
+	ln, err := net.Listen("unix", sockPath)
+	require.NoError(t, err)
+	t.Cleanup(func() { ln.Close() })
+
+	done := make(chan struct{})
+	var serverConn net.Conn
+	var serverAuth credentials.AuthInfo
+	var serverErr error
+
+	go func() {
+		defer close(done)
+		raw, err := ln.Accept()
+		if err != nil {
+			serverErr = err
+			return
+		}
+		serverConn, serverAuth, serverErr = creds.ServerHandshake(raw)
+	}()
+
+	client, err := net.Dial("unix", sockPath)
+	require.NoError(t, err)
+	t.Cleanup(func() { client.Close() })
+
+	<-done
+	require.NoError(t, serverErr)
+	require.NotNil(t, serverConn)
+	t.Cleanup(func() { serverConn.Close() })
+
+	authInfo, ok := serverAuth.(UnixAuthInfo)
+	require.True(t, ok, "expected UnixAuthInfo, got %T", serverAuth)
+	assert.Equal(t, UID(os.Getuid()), authInfo.UID, "UID should match current user")
+}
+
+func TestUnixTransportCredentials_ServerHandshake_NonUnixConn(t *testing.T) {
+	creds := NewUnixTransportCredentials()
+	if creds == nil {
+		t.Skip("unix transport credentials not supported on this platform")
+	}
+
+	// Use a TCP connection, which is not *net.UnixConn.
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	t.Cleanup(func() { ln.Close() })
+
+	done := make(chan struct{})
+	var handshakeErr error
+
+	go func() {
+		defer close(done)
+		raw, err := ln.Accept()
+		if err != nil {
+			handshakeErr = err
+			return
+		}
+		defer raw.Close()
+		_, _, handshakeErr = creds.ServerHandshake(raw)
+	}()
+
+	client, err := net.Dial("tcp", ln.Addr().String())
+	require.NoError(t, err)
+	t.Cleanup(func() { client.Close() })
+
+	<-done
+	require.Error(t, handshakeErr, "ServerHandshake must fail for non-Unix connections")
+}
+
+func TestUnixTransportCredentials_Info(t *testing.T) {
+	creds := NewUnixTransportCredentials()
+	if creds == nil {
+		t.Skip("unix transport credentials not supported on this platform")
+	}
+
+	info := creds.Info()
+	assert.Equal(t, "unix_peercred", info.SecurityProtocol)
+}
+
+func TestUnixTransportCredentials_Clone(t *testing.T) {
+	creds := NewUnixTransportCredentials()
+	if creds == nil {
+		t.Skip("unix transport credentials not supported on this platform")
+	}
+
+	cloned := creds.Clone()
+	require.NotNil(t, cloned)
+	assert.Equal(t, creds.Info(), cloned.Info())
+}

client/internal/owner/uid.go

@@ -0,0 +1,5 @@
+package owner
+
+// UID is a Unix user ID. Defined as a distinct type so it can't be silently
+// swapped with GID, PID, or other uint32 values at call sites.
+type UID uint32

client/internal/portforward/pcp/nat.go

@@ -179,10 +179,8 @@ func getDefaultGateway() (gateway net.IP, localIP net.IP, err error) {
 	}
 
 	dst := net.IPv4zero
-	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
-		// go-netroute v0.4.0 rejects unspecified destinations client-side on Linux/Android.
-		// TODO: on android/ios, use platform APIs (ConnectivityManager.getLinkProperties /
-		// NWPathMonitor) when netlink-based lookup is restricted or unavailable.
+	if runtime.GOOS == "linux" {
+		// go-netroute v0.4.0 rejects unspecified destinations client-side on Linux.
 		dst = net.IPv4(0, 0, 0, 1)
 	}
 	_, gateway, localIP, err = router.Route(dst)
@@ -205,7 +203,7 @@ func getDefaultGateway6() (gateway net.IP, localIP net.IP, err error) {
 	}
 
 	dst := net.IPv6zero
-	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
+	if runtime.GOOS == "linux" {
 		// ::2
 		dst = net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2}
 	}

client/internal/profilemanager/config.go

@@ -21,6 +21,7 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
 	"github.com/netbirdio/netbird/client/ssh"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
@@ -99,6 +100,10 @@ type ConfigInput struct {
 	LazyConnectionEnabled *bool
 
 	MTU *uint16
+
+	// OwnerUIDs sets the UIDs of users allowed to control the daemon.
+	// When non-nil, replaces the config's OwnerUIDs.
+	OwnerUIDs []owner.UID
 }
 
 // Config Configuration type
@@ -174,6 +179,12 @@ type Config struct {
 	LazyConnectionEnabled bool
 
 	MTU uint16
+
+	// OwnerUIDs controls who can perform privileged daemon operations via the gRPC socket.
+	// nil (absent from JSON): TOFU mode, first privileged caller claims ownership (backward compat for existing installs).
+	// [] (empty slice): root-only, no non-root owners until explicitly set via "netbird up --owner".
+	// [uid1, uid2, ...]: these UIDs plus root can perform privileged operations.
+	OwnerUIDs []owner.UID `json:"OwnerUIDs"`
 }
 
 var ConfigDirOverride string
@@ -234,10 +245,18 @@ func fileExists(path string) (bool, error) {
 
 // createNewConfig creates a new config generating a new Wireguard key and saving to file
 func createNewConfig(input ConfigInput) (*Config, error) {
+	// Seed owner UIDs from environment if set (for MDM deployments),
+	// otherwise default to root-only (empty slice).
+	ownerUIDs := owner.OwnerUIDsFromEnv()
+	if ownerUIDs == nil {
+		ownerUIDs = []owner.UID{}
+	}
+
 	config := &Config{
 		// defaults to false only for new (post 0.26) configurations
 		ServerSSHAllowed: util.False(),
 		WgPort:           iface.DefaultWgPort,
+		OwnerUIDs:        ownerUIDs,
 	}
 
 	if _, err := config.apply(input); err != nil {
@@ -612,6 +631,14 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
+	if input.OwnerUIDs != nil {
+		if !slices.Equal(config.OwnerUIDs, input.OwnerUIDs) {
+			log.Infof("updating owner UIDs to %v", input.OwnerUIDs)
+			config.OwnerUIDs = input.OwnerUIDs
+			updated = true
+		}
+	}
+
 	return updated, nil
 }
 

client/internal/profilemanager/service.go

@@ -13,6 +13,7 @@ import (
 
 	log "github.com/sirupsen/logrus"
 
+	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/util"
 )
 
@@ -243,7 +244,10 @@ func (s *ServiceManager) DefaultProfilePath() string {
 	return DefaultConfigPath
 }
 
-func (s *ServiceManager) AddProfile(profileName, username string) error {
+// AddProfile creates a new profile with the given name. inheritOwnerUIDs is
+// applied to the new profile's OwnerUIDs (pass the active profile's owners so
+// the caller stays authorized; pass nil to leave the default empty/env-seeded).
+func (s *ServiceManager) AddProfile(profileName, username string, inheritOwnerUIDs []owner.UID) error {
 	configDir, err := s.getConfigDir(username)
 	if err != nil {
 		return fmt.Errorf("failed to get config directory: %w", err)
@@ -264,7 +268,7 @@ func (s *ServiceManager) AddProfile(profileName, username string) error {
 		return ErrProfileAlreadyExists
 	}
 
-	cfg, err := createNewConfig(ConfigInput{ConfigPath: profPath})
+	cfg, err := createNewConfig(ConfigInput{ConfigPath: profPath, OwnerUIDs: inheritOwnerUIDs})
 	if err != nil {
 		return fmt.Errorf("failed to create new config: %w", err)
 	}

client/proto/daemon.proto

@@ -91,6 +91,15 @@ service DaemonService {
 
   rpc GetActiveProfile(GetActiveProfileRequest) returns (GetActiveProfileResponse) {}
 
+  // AddOwner adds a UID to the active profile's owner list. Requires
+  // root or an existing owner.
+  rpc AddOwner(AddOwnerRequest) returns (AddOwnerResponse) {}
+
+  // ResetOwner clears the active profile's owner list, returning it to
+  // the unconfigured state. The next call from the active console-session
+  // user will then re-claim ownership. Requires root.
+  rpc ResetOwner(ResetOwnerRequest) returns (ResetOwnerResponse) {}
+
   // Logout disconnects from the network and deletes the peer from the management server
   rpc Logout(LogoutRequest) returns (LogoutResponse) {}
 
@@ -227,6 +236,10 @@ message UpRequest {
   optional string profileName = 1;
   optional string username = 2;
   reserved 3;
+  // When true, the caller claims owner privileges for this profile.
+  // Requires root or current owner; for new installs (root-only mode),
+  // the calling UID becomes an owner.
+  bool claimOwner = 4;
 }
 
 message UpResponse {}
@@ -689,6 +702,16 @@ message AddProfileRequest {
 
 message AddProfileResponse {}
 
+message AddOwnerRequest {
+  uint32 uid = 1;
+}
+
+message AddOwnerResponse {}
+
+message ResetOwnerRequest {}
+
+message ResetOwnerResponse {}
+
 message RemoveProfileRequest {
   string username = 1;
   string profileName = 2;

client/proto/daemon_grpc.pb.go

@@ -48,6 +48,8 @@ const (
 	DaemonService_RemoveProfile_FullMethodName              = "/daemon.DaemonService/RemoveProfile"
 	DaemonService_ListProfiles_FullMethodName               = "/daemon.DaemonService/ListProfiles"
 	DaemonService_GetActiveProfile_FullMethodName           = "/daemon.DaemonService/GetActiveProfile"
+	DaemonService_AddOwner_FullMethodName                   = "/daemon.DaemonService/AddOwner"
+	DaemonService_ResetOwner_FullMethodName                 = "/daemon.DaemonService/ResetOwner"
 	DaemonService_Logout_FullMethodName                     = "/daemon.DaemonService/Logout"
 	DaemonService_GetFeatures_FullMethodName                = "/daemon.DaemonService/GetFeatures"
 	DaemonService_TriggerUpdate_FullMethodName              = "/daemon.DaemonService/TriggerUpdate"
@@ -115,6 +117,13 @@ type DaemonServiceClient interface {
 	RemoveProfile(ctx context.Context, in *RemoveProfileRequest, opts ...grpc.CallOption) (*RemoveProfileResponse, error)
 	ListProfiles(ctx context.Context, in *ListProfilesRequest, opts ...grpc.CallOption) (*ListProfilesResponse, error)
 	GetActiveProfile(ctx context.Context, in *GetActiveProfileRequest, opts ...grpc.CallOption) (*GetActiveProfileResponse, error)
+	// AddOwner adds a UID to the active profile's owner list. Requires
+	// root or an existing owner.
+	AddOwner(ctx context.Context, in *AddOwnerRequest, opts ...grpc.CallOption) (*AddOwnerResponse, error)
+	// ResetOwner clears the active profile's owner list, returning it to
+	// the unconfigured state. The next call from the active console-session
+	// user will then re-claim ownership. Requires root.
+	ResetOwner(ctx context.Context, in *ResetOwnerRequest, opts ...grpc.CallOption) (*ResetOwnerResponse, error)
 	// Logout disconnects from the network and deletes the peer from the management server
 	Logout(ctx context.Context, in *LogoutRequest, opts ...grpc.CallOption) (*LogoutResponse, error)
 	GetFeatures(ctx context.Context, in *GetFeaturesRequest, opts ...grpc.CallOption) (*GetFeaturesResponse, error)
@@ -452,6 +461,26 @@ func (c *daemonServiceClient) GetActiveProfile(ctx context.Context, in *GetActiv
 	return out, nil
 }
 
+func (c *daemonServiceClient) AddOwner(ctx context.Context, in *AddOwnerRequest, opts ...grpc.CallOption) (*AddOwnerResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(AddOwnerResponse)
+	err := c.cc.Invoke(ctx, DaemonService_AddOwner_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) ResetOwner(ctx context.Context, in *ResetOwnerRequest, opts ...grpc.CallOption) (*ResetOwnerResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(ResetOwnerResponse)
+	err := c.cc.Invoke(ctx, DaemonService_ResetOwner_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *daemonServiceClient) Logout(ctx context.Context, in *LogoutRequest, opts ...grpc.CallOption) (*LogoutResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(LogoutResponse)
@@ -616,6 +645,13 @@ type DaemonServiceServer interface {
 	RemoveProfile(context.Context, *RemoveProfileRequest) (*RemoveProfileResponse, error)
 	ListProfiles(context.Context, *ListProfilesRequest) (*ListProfilesResponse, error)
 	GetActiveProfile(context.Context, *GetActiveProfileRequest) (*GetActiveProfileResponse, error)
+	// AddOwner adds a UID to the active profile's owner list. Requires
+	// root or an existing owner.
+	AddOwner(context.Context, *AddOwnerRequest) (*AddOwnerResponse, error)
+	// ResetOwner clears the active profile's owner list, returning it to
+	// the unconfigured state. The next call from the active console-session
+	// user will then re-claim ownership. Requires root.
+	ResetOwner(context.Context, *ResetOwnerRequest) (*ResetOwnerResponse, error)
 	// Logout disconnects from the network and deletes the peer from the management server
 	Logout(context.Context, *LogoutRequest) (*LogoutResponse, error)
 	GetFeatures(context.Context, *GetFeaturesRequest) (*GetFeaturesResponse, error)
@@ -732,6 +768,12 @@ func (UnimplementedDaemonServiceServer) ListProfiles(context.Context, *ListProfi
 func (UnimplementedDaemonServiceServer) GetActiveProfile(context.Context, *GetActiveProfileRequest) (*GetActiveProfileResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetActiveProfile not implemented")
 }
+func (UnimplementedDaemonServiceServer) AddOwner(context.Context, *AddOwnerRequest) (*AddOwnerResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method AddOwner not implemented")
+}
+func (UnimplementedDaemonServiceServer) ResetOwner(context.Context, *ResetOwnerRequest) (*ResetOwnerResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method ResetOwner not implemented")
+}
 func (UnimplementedDaemonServiceServer) Logout(context.Context, *LogoutRequest) (*LogoutResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method Logout not implemented")
 }
@@ -1291,6 +1333,42 @@ func _DaemonService_GetActiveProfile_Handler(srv interface{}, ctx context.Contex
 	return interceptor(ctx, in, info, handler)
 }
 
+func _DaemonService_AddOwner_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(AddOwnerRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).AddOwner(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: DaemonService_AddOwner_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).AddOwner(ctx, req.(*AddOwnerRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_ResetOwner_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ResetOwnerRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).ResetOwner(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: DaemonService_ResetOwner_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).ResetOwner(ctx, req.(*ResetOwnerRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _DaemonService_Logout_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(LogoutRequest)
 	if err := dec(in); err != nil {
@@ -1579,6 +1657,14 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetActiveProfile",
 			Handler:    _DaemonService_GetActiveProfile_Handler,
 		},
+		{
+			MethodName: "AddOwner",
+			Handler:    _DaemonService_AddOwner_Handler,
+		},
+		{
+			MethodName: "ResetOwner",
+			Handler:    _DaemonService_ResetOwner_Handler,
+		},
 		{
 			MethodName: "Logout",
 			Handler:    _DaemonService_Logout_Handler,

client/server/owner.go

@@ -0,0 +1,172 @@
+package server
+
+import (
+	"context"
+	"fmt"
+	"slices"
+
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/internal/owner"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/util"
+)
+
+// authorizeTargetProfile enforces the "match or root" rule for operations
+// that target a specific profile (Remove/Switch). The caller must be root
+// or appear in the target profile config's OwnerUIDs. A target profile in
+// legacy TOFU state (nil OwnerUIDs) is treated as unowned and therefore
+// accessible to any peer-creds caller, which matches pre-enforcement
+// behavior on upgraded installs.
+func (s *Server) authorizeTargetProfile(ctx context.Context, profileName, username string) error {
+	uid, ok := owner.UIDFromContext(ctx)
+	if !ok {
+		return status.Error(codes.PermissionDenied, "peer credentials unavailable")
+	}
+	if uid == 0 {
+		return nil
+	}
+
+	cfg, err := s.readProfileConfig(profileName, username)
+	if err != nil {
+		return fmt.Errorf("read target profile config: %w", err)
+	}
+
+	// Legacy / never-claimed target: allow, mirroring the migration TOFU
+	// semantics in the interceptor.
+	if cfg.OwnerUIDs == nil {
+		return nil
+	}
+
+	if slices.Contains(cfg.OwnerUIDs, uid) {
+		return nil
+	}
+
+	return status.Errorf(codes.PermissionDenied,
+		"profile %q is owned by another user (uid %d is not in its owner list)", profileName, uid)
+}
+
+// readProfileConfig loads a profile's config from disk without making it
+// active. Used by authorizeTargetProfile.
+func (s *Server) readProfileConfig(profileName, username string) (*profilemanager.Config, error) {
+	state := &profilemanager.ActiveProfileState{Name: profileName, Username: username}
+	path, err := state.FilePath()
+	if err != nil {
+		return nil, fmt.Errorf("resolve profile path: %w", err)
+	}
+	cfg, err := profilemanager.GetConfig(path)
+	if err != nil {
+		return nil, fmt.Errorf("load %s: %w", path, err)
+	}
+	return cfg, nil
+}
+
+// GetOwnerUIDs returns the current owner UIDs from the active config.
+// nil means TOFU mode, empty means root-only, populated means those UIDs are owners.
+func (s *Server) GetOwnerUIDs() []owner.UID {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	if s.config == nil {
+		return nil
+	}
+
+	return s.config.OwnerUIDs
+}
+
+// AddOwnerUID adds the given UID to the owner list in the active profile config.
+func (s *Server) AddOwnerUID(uid owner.UID) error {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	return s.addOwnerUIDLocked(uid)
+}
+
+// addOwnerUIDLocked adds uid to the active profile's owner list and persists it.
+// The caller must hold s.mutex.
+func (s *Server) addOwnerUIDLocked(uid owner.UID) error {
+	if s.config == nil {
+		return fmt.Errorf("config not loaded")
+	}
+
+	if slices.Contains(s.config.OwnerUIDs, uid) {
+		return nil
+	}
+
+	s.config.OwnerUIDs = append(s.config.OwnerUIDs, uid)
+
+	activeProf, err := s.profileManager.GetActiveProfileState()
+	if err != nil {
+		return fmt.Errorf("get active profile: %w", err)
+	}
+
+	cfgPath, err := activeProf.FilePath()
+	if err != nil {
+		return fmt.Errorf("get profile file path: %w", err)
+	}
+
+	if err := util.WriteJson(context.Background(), cfgPath, s.config); err != nil {
+		return fmt.Errorf("write config: %w", err)
+	}
+
+	log.Infof("owner UID %d added in %s (owners: %v)", uid, cfgPath, s.config.OwnerUIDs)
+	return nil
+}
+
+// AddOwner handles the AddOwner RPC. The interceptor has already gated this
+// call (caller must be root or an existing owner); the handler just persists
+// the new UID into the active profile config.
+func (s *Server) AddOwner(_ context.Context, msg *proto.AddOwnerRequest) (*proto.AddOwnerResponse, error) {
+	if msg == nil || msg.Uid == 0 {
+		return nil, status.Error(codes.InvalidArgument, "uid must be non-zero")
+	}
+	if err := s.AddOwnerUID(owner.UID(msg.Uid)); err != nil {
+		return nil, fmt.Errorf("add owner: %w", err)
+	}
+	return &proto.AddOwnerResponse{}, nil
+}
+
+// ResetOwner clears the active profile's owner list. Only callable by root
+// (the interceptor enforces this: a non-owner non-root caller is denied
+// before reaching the handler, and only owners or root can reach Add/Reset
+// at all; we additionally require root here so existing owners can't reset
+// each other out).
+func (s *Server) ResetOwner(ctx context.Context, _ *proto.ResetOwnerRequest) (*proto.ResetOwnerResponse, error) {
+	uid, ok := owner.UIDFromContext(ctx)
+	if !ok {
+		return nil, status.Error(codes.PermissionDenied, "peer credentials unavailable")
+	}
+	if uid != 0 {
+		return nil, status.Error(codes.PermissionDenied, "reset-owner requires root")
+	}
+
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	if s.config == nil {
+		return nil, fmt.Errorf("config not loaded")
+	}
+
+	// Reset to the fresh-install state (empty, not nil): only root and the
+	// active console-session user can reclaim. nil would be legacy migration
+	// TOFU, where any non-root caller (including SSH) could reclaim.
+	s.config.OwnerUIDs = []owner.UID{}
+
+	activeProf, err := s.profileManager.GetActiveProfileState()
+	if err != nil {
+		return nil, fmt.Errorf("get active profile: %w", err)
+	}
+	cfgPath, err := activeProf.FilePath()
+	if err != nil {
+		return nil, fmt.Errorf("get profile file path: %w", err)
+	}
+	if err := util.WriteJson(context.Background(), cfgPath, s.config); err != nil {
+		return nil, fmt.Errorf("write config: %w", err)
+	}
+
+	log.Infof("owner list reset; next call from the active console user will re-claim ownership")
+	return &proto.ResetOwnerResponse{}, nil
+}

client/server/server.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/expose"
+	"github.com/netbirdio/netbird/client/internal/owner"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	sleephandler "github.com/netbirdio/netbird/client/internal/sleep/handler"
 	"github.com/netbirdio/netbird/client/system"
@@ -735,6 +736,18 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 	}
 	s.config = config
 
+	// An explicit --owner claim locks the active profile to the calling user
+	// (plus root). Root has no specific UID to claim, so only non-root callers
+	// take effect here; the interceptor has already authorized the call.
+	if msg != nil && msg.ClaimOwner {
+		if uid, ok := owner.UIDFromContext(callerCtx); ok && uid != 0 {
+			if err := s.addOwnerUIDLocked(uid); err != nil {
+				s.mutex.Unlock()
+				return nil, fmt.Errorf("claim owner: %w", err)
+			}
+		}
+	}
+
 	s.statusRecorder.UpdateManagementAddress(s.config.ManagementURL.String())
 	s.statusRecorder.UpdateRosenpass(s.config.RosenpassEnabled, s.config.RosenpassPermissive)
 
@@ -800,6 +813,18 @@ func (s *Server) switchProfileIfNeeded(profileName string, userName *string, act
 
 // SwitchProfile switches the active profile in the daemon.
 func (s *Server) SwitchProfile(callerCtx context.Context, msg *proto.SwitchProfileRequest) (*proto.SwitchProfileResponse, error) {
+	// Switching downs the current session and starts another, so the caller
+	// must own the target profile (or be root).
+	if msg != nil && msg.ProfileName != nil {
+		username := ""
+		if msg.Username != nil {
+			username = *msg.Username
+		}
+		if err := s.authorizeTargetProfile(callerCtx, *msg.ProfileName, username); err != nil {
+			return nil, err
+		}
+	}
+
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
@@ -1564,7 +1589,17 @@ func (s *Server) AddProfile(ctx context.Context, msg *proto.AddProfileRequest) (
 		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name and username must be provided")
 	}
 
-	if err := s.profileManager.AddProfile(msg.ProfileName, msg.Username); err != nil {
+	// New profiles auto-claim the caller as their sole owner so the user who
+	// just created the profile retains control (and other local users can't
+	// touch it via SwitchProfile/RemoveProfile). When called by root, leave
+	// OwnerUIDs at the default (empty/env-seeded); root explicitly didn't
+	// claim ownership for any specific user.
+	var initialOwners []owner.UID
+	if uid, ok := owner.UIDFromContext(ctx); ok && uid != 0 {
+		initialOwners = []owner.UID{uid}
+	}
+
+	if err := s.profileManager.AddProfile(msg.ProfileName, msg.Username, initialOwners); err != nil {
 		log.Errorf("failed to create profile: %v", err)
 		return nil, fmt.Errorf("failed to create profile: %w", err)
 	}
@@ -1574,6 +1609,10 @@ func (s *Server) AddProfile(ctx context.Context, msg *proto.AddProfileRequest) (
 
 // RemoveProfile removes a profile from the daemon.
 func (s *Server) RemoveProfile(ctx context.Context, msg *proto.RemoveProfileRequest) (*proto.RemoveProfileResponse, error) {
+	if err := s.authorizeTargetProfile(ctx, msg.ProfileName, msg.Username); err != nil {
+		return nil, err
+	}
+
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 

combined/cmd/root.go

@@ -67,10 +67,6 @@ func init() {
 	rootCmd.AddCommand(newTokenCommands())
 }
 
-func RootCmd() *cobra.Command {
-	return rootCmd
-}
-
 func Execute() error {
 	return rootCmd.Execute()
 }
@@ -172,7 +168,7 @@ func initializeConfig() error {
 // serverInstances holds all server instances created during startup.
 type serverInstances struct {
 	relaySrv      *relayServer.Server
-	mgmtSrv       mgmtServer.Server
+	mgmtSrv       *mgmtServer.BaseServer
 	signalSrv     *signalServer.Server
 	healthcheck   *healthcheck.Server
 	stunServer    *stun.Server
@@ -328,24 +324,19 @@ func setupServerHooks(servers *serverInstances, cfg *CombinedConfig) {
 		return
 	}
 
-	if s, ok := servers.mgmtSrv.GetContainer(mgmtServer.ContainerKeyBaseServer); ok {
-		if baseServer, ok := s.(*mgmtServer.BaseServer); ok {
-			baseServer.AfterInit(func(s *mgmtServer.BaseServer) {
-				grpcSrv := s.GRPCServer()
+	servers.mgmtSrv.AfterInit(func(s *mgmtServer.BaseServer) {
+		grpcSrv := s.GRPCServer()
 
-				if servers.signalSrv != nil {
-					proto.RegisterSignalExchangeServer(grpcSrv, servers.signalSrv)
-					log.Infof("Signal server registered on port %s", cfg.Server.ListenAddress)
-				}
-
-				s.SetHandlerFunc(createCombinedHandler(grpcSrv, s.APIHandler(), s.IDPHandler(), servers.relaySrv, servers.metricsServer.Meter, cfg))
-				if servers.relaySrv != nil {
-					log.Infof("Relay WebSocket handler added (path: /relay)")
-				}
-			})
+		if servers.signalSrv != nil {
+			proto.RegisterSignalExchangeServer(grpcSrv, servers.signalSrv)
+			log.Infof("Signal server registered on port %s", cfg.Server.ListenAddress)
 		}
-	}
 
+		s.SetHandlerFunc(createCombinedHandler(grpcSrv, s.APIHandler(), s.IDPHandler(), servers.relaySrv, servers.metricsServer.Meter, cfg))
+		if servers.relaySrv != nil {
+			log.Infof("Relay WebSocket handler added (path: /relay)")
+		}
+	})
 }
 
 func startServers(wg *sync.WaitGroup, srv *relayServer.Server, httpHealthcheck *healthcheck.Server, stunServer *stun.Server, metricsServer *sharedMetrics.Metrics) {
@@ -355,32 +346,38 @@ func startServers(wg *sync.WaitGroup, srv *relayServer.Server, httpHealthcheck *
 		log.Infof("Relay WebSocket multiplexed on management port (no separate relay listener)")
 	}
 
-	wg.Go(func() {
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
 		log.Infof("running metrics server: %s%s", metricsServer.Addr, metricsServer.Endpoint)
 		if err := metricsServer.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {
 			log.Fatalf("failed to start metrics server: %v", err)
 		}
-	})
+	}()
 
-	wg.Go(func() {
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
 		if err := httpHealthcheck.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {
 			log.Fatalf("failed to start healthcheck server: %v", err)
 		}
-	})
+	}()
 
 	if stunServer != nil {
-		wg.Go(func() {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
 			if err := stunServer.Listen(); err != nil {
 				if errors.Is(err, stun.ErrServerClosed) {
 					return
 				}
 				log.Errorf("STUN server error: %v", err)
 			}
-		})
+		}()
 	}
 }
 
-func shutdownServers(ctx context.Context, srv *relayServer.Server, httpHealthcheck *healthcheck.Server, stunServer *stun.Server, mgmtSrv mgmtServer.Server, metricsServer *sharedMetrics.Metrics) error {
+func shutdownServers(ctx context.Context, srv *relayServer.Server, httpHealthcheck *healthcheck.Server, stunServer *stun.Server, mgmtSrv *mgmtServer.BaseServer, metricsServer *sharedMetrics.Metrics) error {
 	var errs error
 
 	if err := httpHealthcheck.Shutdown(ctx); err != nil {
@@ -494,7 +491,7 @@ func handleTLSConfig(cfg *CombinedConfig) (*tls.Config, bool, error) {
 	return nil, false, nil
 }
 
-func createManagementServer(cfg *CombinedConfig, mgmtConfig *nbconfig.Config) (mgmtServer.Server, error) {
+func createManagementServer(cfg *CombinedConfig, mgmtConfig *nbconfig.Config) (*mgmtServer.BaseServer, error) {
 	mgmt := cfg.Management
 
 	// Extract port from listen address
@@ -505,7 +502,7 @@ func createManagementServer(cfg *CombinedConfig, mgmtConfig *nbconfig.Config) (m
 	}
 	mgmtPort, _ := strconv.Atoi(portStr)
 
-	mgmtSrv := newServer(
+	mgmtSrv := mgmtServer.NewServer(
 		&mgmtServer.Config{
 			NbConfig:                mgmtConfig,
 			DNSDomain:               "",

combined/cmd/server.go

@@ -1,13 +0,0 @@
-package cmd
-
-import (
-	mgmtServer "github.com/netbirdio/netbird/management/internals/server"
-)
-
-var newServer = func(cfg *mgmtServer.Config) mgmtServer.Server {
-	return mgmtServer.NewServer(cfg)
-}
-
-func SetNewServer(fn func(*mgmtServer.Config) mgmtServer.Server) {
-	newServer = fn
-}

management/internals/modules/peers/manager.go

@@ -75,7 +75,7 @@ func (m *managerImpl) SetAccountManager(accountManager account.Manager) {
 }
 
 func (m *managerImpl) GetPeer(ctx context.Context, accountID, userID, peerID string) (*peer.Peer, error) {
-	allowed, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Read)
+	allowed, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Read)
 	if err != nil {
 		return nil, fmt.Errorf("failed to validate user permissions: %w", err)
 	}
@@ -88,7 +88,7 @@ func (m *managerImpl) GetPeer(ctx context.Context, accountID, userID, peerID str
 }
 
 func (m *managerImpl) GetAllPeers(ctx context.Context, accountID, userID string) ([]*peer.Peer, error) {
-	allowed, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Read)
+	allowed, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Read)
 	if err != nil {
 		return nil, fmt.Errorf("failed to validate user permissions: %w", err)
 	}

management/internals/modules/reverseproxy/accesslogs/manager/manager.go

@@ -63,7 +63,7 @@ func (m *managerImpl) SaveAccessLog(ctx context.Context, logEntry *accesslogs.Ac
 
 // GetAllAccessLogs retrieves access logs for an account with pagination and filtering
 func (m *managerImpl) GetAllAccessLogs(ctx context.Context, accountID, userID string, filter *accesslogs.AccessLogFilter) ([]*accesslogs.AccessLogEntry, int64, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
 	if err != nil {
 		return nil, 0, status.NewPermissionValidationError(err)
 	}

management/internals/modules/reverseproxy/domain/manager/manager.go

@@ -57,7 +57,7 @@ func NewManager(store store, proxyMgr proxyManager, permissionsManager permissio
 }
 
 func (m Manager) GetDomains(ctx context.Context, accountID, userID string) ([]*domain.Domain, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -122,7 +122,7 @@ func (m Manager) GetDomains(ctx context.Context, accountID, userID string) ([]*d
 }
 
 func (m Manager) CreateDomain(ctx context.Context, accountID, userID, domainName, targetCluster string) (*domain.Domain, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -163,7 +163,7 @@ func (m Manager) CreateDomain(ctx context.Context, accountID, userID, domainName
 }
 
 func (m Manager) DeleteDomain(ctx context.Context, accountID, userID, domainID string) error {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -187,7 +187,7 @@ func (m Manager) DeleteDomain(ctx context.Context, accountID, userID, domainID s
 }
 
 func (m Manager) ValidateDomain(ctx context.Context, accountID, userID, domainID string) {
-	ok, _, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
 	if err != nil {
 		log.WithFields(log.Fields{
 			"accountID": accountID,

management/internals/modules/reverseproxy/proxytoken/handler.go

@@ -37,7 +37,7 @@ func (h *handler) createToken(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	ok, ctx, err := h.permissionsManager.ValidateUserPermissions(r.Context(), userAuth.AccountId, userAuth.UserId, modules.Services, operations.Create)
+	ok, err := h.permissionsManager.ValidateUserPermissions(r.Context(), userAuth.AccountId, userAuth.UserId, modules.Services, operations.Create)
 	if err != nil {
 		util.WriteErrorResponse("failed to validate permissions", http.StatusInternalServerError, w)
 		return
@@ -76,13 +76,13 @@ func (h *handler) createToken(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := h.store.SaveProxyAccessToken(ctx, &generated.ProxyAccessToken); err != nil {
+	if err := h.store.SaveProxyAccessToken(r.Context(), &generated.ProxyAccessToken); err != nil {
 		util.WriteErrorResponse("failed to save token", http.StatusInternalServerError, w)
 		return
 	}
 
 	resp := toProxyTokenCreatedResponse(generated)
-	util.WriteJSONObject(ctx, w, resp)
+	util.WriteJSONObject(r.Context(), w, resp)
 }
 
 func (h *handler) listTokens(w http.ResponseWriter, r *http.Request) {
@@ -92,7 +92,7 @@ func (h *handler) listTokens(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	ok, ctx, err := h.permissionsManager.ValidateUserPermissions(r.Context(), userAuth.AccountId, userAuth.UserId, modules.Services, operations.Read)
+	ok, err := h.permissionsManager.ValidateUserPermissions(r.Context(), userAuth.AccountId, userAuth.UserId, modules.Services, operations.Read)
 	if err != nil {
 		util.WriteErrorResponse("failed to validate permissions", http.StatusInternalServerError, w)
 		return
@@ -102,7 +102,7 @@ func (h *handler) listTokens(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	tokens, err := h.store.GetProxyAccessTokensByAccountID(ctx, store.LockingStrengthNone, userAuth.AccountId)
+	tokens, err := h.store.GetProxyAccessTokensByAccountID(r.Context(), store.LockingStrengthNone, userAuth.AccountId)
 	if err != nil {
 		util.WriteErrorResponse("failed to list tokens", http.StatusInternalServerError, w)
 		return
@@ -113,7 +113,7 @@ func (h *handler) listTokens(w http.ResponseWriter, r *http.Request) {
 		resp = append(resp, toProxyTokenResponse(token))
 	}
 
-	util.WriteJSONObject(ctx, w, resp)
+	util.WriteJSONObject(r.Context(), w, resp)
 }
 
 func (h *handler) revokeToken(w http.ResponseWriter, r *http.Request) {
@@ -123,7 +123,7 @@ func (h *handler) revokeToken(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	ok, ctx, err := h.permissionsManager.ValidateUserPermissions(r.Context(), userAuth.AccountId, userAuth.UserId, modules.Services, operations.Delete)
+	ok, err := h.permissionsManager.ValidateUserPermissions(r.Context(), userAuth.AccountId, userAuth.UserId, modules.Services, operations.Delete)
 	if err != nil {
 		util.WriteErrorResponse("failed to validate permissions", http.StatusInternalServerError, w)
 		return
@@ -139,7 +139,7 @@ func (h *handler) revokeToken(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	token, err := h.store.GetProxyAccessTokenByID(ctx, store.LockingStrengthNone, tokenID)
+	token, err := h.store.GetProxyAccessTokenByID(r.Context(), store.LockingStrengthNone, tokenID)
 	if err != nil {
 		if s, ok := status.FromError(err); ok && s.ErrorType == status.NotFound {
 			util.WriteErrorResponse("token not found", http.StatusNotFound, w)
@@ -154,12 +154,12 @@ func (h *handler) revokeToken(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := h.store.RevokeProxyAccessToken(ctx, tokenID); err != nil {
+	if err := h.store.RevokeProxyAccessToken(r.Context(), tokenID); err != nil {
 		util.WriteErrorResponse("failed to revoke token", http.StatusInternalServerError, w)
 		return
 	}
 
-	util.WriteJSONObject(ctx, w, util.EmptyObject{})
+	util.WriteJSONObject(r.Context(), w, util.EmptyObject{})
 }
 
 func toProxyTokenResponse(token *types.ProxyAccessToken) api.ProxyToken {

management/internals/modules/reverseproxy/proxytoken/handler_test.go

@@ -47,7 +47,7 @@ func TestCreateToken_AccountScoped(t *testing.T) {
 	)
 
 	permsMgr := permissions.NewMockManager(ctrl)
-	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), accountID, "user-1", modules.Services, operations.Create).Return(true, context.Background(), nil)
+	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), accountID, "user-1", modules.Services, operations.Create).Return(true, nil)
 
 	h := &handler{
 		store:              mockStore,
@@ -90,7 +90,7 @@ func TestCreateToken_WithExpiration(t *testing.T) {
 	)
 
 	permsMgr := permissions.NewMockManager(ctrl)
-	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), "acc-123", "user-1", modules.Services, operations.Create).Return(true, context.Background(), nil)
+	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), "acc-123", "user-1", modules.Services, operations.Create).Return(true, nil)
 
 	h := &handler{
 		store:              mockStore,
@@ -115,7 +115,7 @@ func TestCreateToken_EmptyName(t *testing.T) {
 	defer ctrl.Finish()
 
 	permsMgr := permissions.NewMockManager(ctrl)
-	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), "acc-123", "user-1", modules.Services, operations.Create).Return(true, context.Background(), nil)
+	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), "acc-123", "user-1", modules.Services, operations.Create).Return(true, nil)
 
 	h := &handler{
 		permissionsManager: permsMgr,
@@ -135,7 +135,7 @@ func TestCreateToken_PermissionDenied(t *testing.T) {
 	defer ctrl.Finish()
 
 	permsMgr := permissions.NewMockManager(ctrl)
-	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), "acc-123", "user-1", modules.Services, operations.Create).Return(false, context.Background(), nil)
+	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), "acc-123", "user-1", modules.Services, operations.Create).Return(false, nil)
 
 	h := &handler{
 		permissionsManager: permsMgr,
@@ -164,7 +164,7 @@ func TestListTokens(t *testing.T) {
 	}, nil)
 
 	permsMgr := permissions.NewMockManager(ctrl)
-	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), accountID, "user-1", modules.Services, operations.Read).Return(true, context.Background(), nil)
+	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), accountID, "user-1", modules.Services, operations.Read).Return(true, nil)
 
 	h := &handler{
 		store:              mockStore,
@@ -202,7 +202,7 @@ func TestRevokeToken_Success(t *testing.T) {
 	mockStore.EXPECT().RevokeProxyAccessToken(gomock.Any(), "tok-1").Return(nil)
 
 	permsMgr := permissions.NewMockManager(ctrl)
-	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), accountID, "user-1", modules.Services, operations.Delete).Return(true, context.Background(), nil)
+	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), accountID, "user-1", modules.Services, operations.Delete).Return(true, nil)
 
 	h := &handler{
 		store:              mockStore,
@@ -231,7 +231,7 @@ func TestRevokeToken_WrongAccount(t *testing.T) {
 	}, nil)
 
 	permsMgr := permissions.NewMockManager(ctrl)
-	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), "acc-123", "user-1", modules.Services, operations.Delete).Return(true, context.Background(), nil)
+	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), "acc-123", "user-1", modules.Services, operations.Delete).Return(true, nil)
 
 	h := &handler{
 		store:              mockStore,
@@ -258,7 +258,7 @@ func TestRevokeToken_ManagementWideToken(t *testing.T) {
 	}, nil)
 
 	permsMgr := permissions.NewMockManager(ctrl)
-	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), "acc-123", "user-1", modules.Services, operations.Delete).Return(true, context.Background(), nil)
+	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), "acc-123", "user-1", modules.Services, operations.Delete).Return(true, nil)
 
 	h := &handler{
 		store:              mockStore,

management/internals/modules/reverseproxy/service/manager/manager.go

@@ -120,7 +120,7 @@ func (m *Manager) StartExposeReaper(ctx context.Context) {
 // capability flags reported by its active proxies so the dashboard can
 // render feature support without a second round-trip.
 func (m *Manager) GetClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -146,7 +146,7 @@ func (m *Manager) GetClusters(ctx context.Context, accountID, userID string) ([]
 // DeleteAccountCluster removes all proxy registrations for the given cluster address
 // owned by the account.
 func (m *Manager) DeleteAccountCluster(ctx context.Context, accountID, userID, clusterAddress string) error {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -158,7 +158,7 @@ func (m *Manager) DeleteAccountCluster(ctx context.Context, accountID, userID, c
 }
 
 func (m *Manager) GetAllServices(ctx context.Context, accountID, userID string) ([]*service.Service, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -222,7 +222,7 @@ func (m *Manager) replaceHostByLookup(ctx context.Context, accountID string, s *
 }
 
 func (m *Manager) GetService(ctx context.Context, accountID, userID, serviceID string) (*service.Service, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -243,7 +243,7 @@ func (m *Manager) GetService(ctx context.Context, accountID, userID, serviceID s
 }
 
 func (m *Manager) CreateService(ctx context.Context, accountID, userID string, s *service.Service) (*service.Service, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -528,7 +528,7 @@ func (m *Manager) checkDomainAvailable(ctx context.Context, transaction store.St
 }
 
 func (m *Manager) UpdateService(ctx context.Context, accountID, userID string, service *service.Service) (*service.Service, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Update)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Update)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -836,7 +836,7 @@ func validateResourceTargetType(target *service.Target, resource *resourcetypes.
 }
 
 func (m *Manager) DeleteService(ctx context.Context, accountID, userID, serviceID string) error {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -876,7 +876,7 @@ func (m *Manager) DeleteService(ctx context.Context, accountID, userID, serviceI
 }
 
 func (m *Manager) DeleteAllServices(ctx context.Context, accountID, userID string) error {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}

management/internals/modules/reverseproxy/service/manager/manager_test.go

@@ -1172,7 +1172,7 @@ func TestDeleteService_DeletesTargets(t *testing.T) {
 
 	mockPerms.EXPECT().
 		ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete).
-		Return(true, ctx, nil)
+		Return(true, nil)
 	mockAcct.EXPECT().
 		StoreEvent(ctx, userID, service.ID, accountID, activity.ServiceDeleted, gomock.Any())
 	mockAcct.EXPECT().

management/internals/modules/zones/manager/manager.go

@@ -32,7 +32,7 @@ func NewManager(store store.Store, accountManager account.Manager, permissionsMa
 }
 
 func (m *managerImpl) GetAllZones(ctx context.Context, accountID, userID string) ([]*zones.Zone, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -44,7 +44,7 @@ func (m *managerImpl) GetAllZones(ctx context.Context, accountID, userID string)
 }
 
 func (m *managerImpl) GetZone(ctx context.Context, accountID, userID, zoneID string) (*zones.Zone, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -56,7 +56,7 @@ func (m *managerImpl) GetZone(ctx context.Context, accountID, userID, zoneID str
 }
 
 func (m *managerImpl) CreateZone(ctx context.Context, accountID, userID string, zone *zones.Zone) (*zones.Zone, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Create)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Create)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -103,7 +103,7 @@ func (m *managerImpl) CreateZone(ctx context.Context, accountID, userID string,
 }
 
 func (m *managerImpl) UpdateZone(ctx context.Context, accountID, userID string, updatedZone *zones.Zone) (*zones.Zone, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Update)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Update)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -151,7 +151,7 @@ func (m *managerImpl) UpdateZone(ctx context.Context, accountID, userID string,
 }
 
 func (m *managerImpl) DeleteZone(ctx context.Context, accountID, userID, zoneID string) error {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Delete)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}

management/internals/modules/zones/manager/manager_test.go

@@ -79,7 +79,7 @@ func TestManagerImpl_GetAllZones(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		result, err := manager.GetAllZones(ctx, testAccountID, testUserID)
 		require.NoError(t, err)
@@ -95,7 +95,7 @@ func TestManagerImpl_GetAllZones(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
-			Return(false, ctx, nil)
+			Return(false, nil)
 
 		result, err := manager.GetAllZones(ctx, testAccountID, testUserID)
 		require.Error(t, err)
@@ -112,7 +112,7 @@ func TestManagerImpl_GetAllZones(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
-			Return(false, ctx, status.Errorf(status.Internal, "permission check failed"))
+			Return(false, status.Errorf(status.Internal, "permission check failed"))
 
 		result, err := manager.GetAllZones(ctx, testAccountID, testUserID)
 		require.Error(t, err)
@@ -134,7 +134,7 @@ func TestManagerImpl_GetZone(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		result, err := manager.GetZone(ctx, testAccountID, testUserID, zone.ID)
 		require.NoError(t, err)
@@ -150,7 +150,7 @@ func TestManagerImpl_GetZone(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
-			Return(false, ctx, nil)
+			Return(false, nil)
 
 		result, err := manager.GetZone(ctx, testAccountID, testUserID, testZoneID)
 		require.Error(t, err)
@@ -179,7 +179,7 @@ func TestManagerImpl_CreateZone(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 			assert.Equal(t, testUserID, initiatorID)
@@ -212,7 +212,7 @@ func TestManagerImpl_CreateZone(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
-			Return(false, ctx, nil)
+			Return(false, nil)
 
 		result, err := manager.CreateZone(ctx, testAccountID, testUserID, inputZone)
 		require.Error(t, err)
@@ -235,7 +235,7 @@ func TestManagerImpl_CreateZone(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		result, err := manager.CreateZone(ctx, testAccountID, testUserID, inputZone)
 		require.Error(t, err)
@@ -261,7 +261,7 @@ func TestManagerImpl_CreateZone(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		result, err := manager.CreateZone(ctx, testAccountID, testUserID, inputZone)
 		require.Error(t, err)
@@ -293,7 +293,7 @@ func TestManagerImpl_CreateZone(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		result, err := manager.CreateZone(ctx, testAccountID, testUserID, inputZone)
 		require.Error(t, err)
@@ -319,7 +319,7 @@ func TestManagerImpl_CreateZone(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		result, err := manager.CreateZone(ctx, testAccountID, testUserID, inputZone)
 		require.Error(t, err)
@@ -354,7 +354,7 @@ func TestManagerImpl_UpdateZone(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		storeEventCalled := false
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
@@ -394,7 +394,7 @@ func TestManagerImpl_UpdateZone(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		result, err := manager.UpdateZone(ctx, testAccountID, testUserID, updatedZone)
 		require.Error(t, err)
@@ -418,7 +418,7 @@ func TestManagerImpl_UpdateZone(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
-			Return(false, ctx, nil)
+			Return(false, nil)
 
 		result, err := manager.UpdateZone(ctx, testAccountID, testUserID, updatedZone)
 		require.Error(t, err)
@@ -441,7 +441,7 @@ func TestManagerImpl_UpdateZone(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		result, err := manager.UpdateZone(ctx, testAccountID, testUserID, updatedZone)
 		require.Error(t, err)
@@ -471,7 +471,7 @@ func TestManagerImpl_DeleteZone(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Delete).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		storeEventCallCount := 0
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
@@ -503,7 +503,7 @@ func TestManagerImpl_DeleteZone(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Delete).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		storeEventCalled := false
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
@@ -529,7 +529,7 @@ func TestManagerImpl_DeleteZone(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Delete).
-			Return(false, ctx, nil)
+			Return(false, nil)
 
 		err := manager.DeleteZone(ctx, testAccountID, testUserID, testZoneID)
 		require.Error(t, err)
@@ -545,7 +545,7 @@ func TestManagerImpl_DeleteZone(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Delete).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		err := manager.DeleteZone(ctx, testAccountID, testUserID, "non-existent-zone")
 		require.Error(t, err)

management/internals/modules/zones/records/manager/manager.go

@@ -32,7 +32,7 @@ func NewManager(store store.Store, accountManager account.Manager, permissionsMa
 }
 
 func (m *managerImpl) GetAllRecords(ctx context.Context, accountID, userID, zoneID string) ([]*records.Record, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -44,7 +44,7 @@ func (m *managerImpl) GetAllRecords(ctx context.Context, accountID, userID, zone
 }
 
 func (m *managerImpl) GetRecord(ctx context.Context, accountID, userID, zoneID, recordID string) (*records.Record, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -56,7 +56,7 @@ func (m *managerImpl) GetRecord(ctx context.Context, accountID, userID, zoneID,
 }
 
 func (m *managerImpl) CreateRecord(ctx context.Context, accountID, userID, zoneID string, record *records.Record) (*records.Record, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Create)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Create)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -102,7 +102,7 @@ func (m *managerImpl) CreateRecord(ctx context.Context, accountID, userID, zoneI
 }
 
 func (m *managerImpl) UpdateRecord(ctx context.Context, accountID, userID, zoneID string, updatedRecord *records.Record) (*records.Record, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Update)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Update)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -161,7 +161,7 @@ func (m *managerImpl) UpdateRecord(ctx context.Context, accountID, userID, zoneI
 }
 
 func (m *managerImpl) DeleteRecord(ctx context.Context, accountID, userID, zoneID, recordID string) error {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Delete)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}

management/internals/modules/zones/records/manager/manager_test.go

@@ -80,7 +80,7 @@ func TestManagerImpl_GetAllRecords(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		result, err := manager.GetAllRecords(ctx, testAccountID, testUserID, zone.ID)
 		require.NoError(t, err)
@@ -96,7 +96,7 @@ func TestManagerImpl_GetAllRecords(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
-			Return(false, ctx, nil)
+			Return(false, nil)
 
 		result, err := manager.GetAllRecords(ctx, testAccountID, testUserID, zone.ID)
 		require.Error(t, err)
@@ -113,7 +113,7 @@ func TestManagerImpl_GetAllRecords(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
-			Return(false, ctx, status.Errorf(status.Internal, "permission check failed"))
+			Return(false, status.Errorf(status.Internal, "permission check failed"))
 
 		result, err := manager.GetAllRecords(ctx, testAccountID, testUserID, zone.ID)
 		require.Error(t, err)
@@ -135,7 +135,7 @@ func TestManagerImpl_GetRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		result, err := manager.GetRecord(ctx, testAccountID, testUserID, zone.ID, record.ID)
 		require.NoError(t, err)
@@ -153,7 +153,7 @@ func TestManagerImpl_GetRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
-			Return(false, ctx, nil)
+			Return(false, nil)
 
 		result, err := manager.GetRecord(ctx, testAccountID, testUserID, zone.ID, testRecordID)
 		require.Error(t, err)
@@ -181,7 +181,7 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 			assert.Equal(t, testUserID, initiatorID)
@@ -215,7 +215,7 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 			assert.Equal(t, testUserID, initiatorID)
@@ -244,7 +244,7 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 			assert.Equal(t, testUserID, initiatorID)
@@ -273,7 +273,7 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
-			Return(false, ctx, nil)
+			Return(false, nil)
 
 		result, err := manager.CreateRecord(ctx, testAccountID, testUserID, zone.ID, inputRecord)
 		require.Error(t, err)
@@ -297,7 +297,7 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		result, err := manager.CreateRecord(ctx, testAccountID, testUserID, zone.ID, inputRecord)
 		require.Error(t, err)
@@ -323,7 +323,7 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		result, err := manager.CreateRecord(ctx, testAccountID, testUserID, zone.ID, inputRecord)
 		require.Error(t, err)
@@ -349,7 +349,7 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		result, err := manager.CreateRecord(ctx, testAccountID, testUserID, zone.ID, inputRecord)
 		require.Error(t, err)
@@ -380,7 +380,7 @@ func TestManagerImpl_UpdateRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		storeEventCalled := false
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
@@ -418,7 +418,7 @@ func TestManagerImpl_UpdateRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 			// Event should be stored
@@ -445,7 +445,7 @@ func TestManagerImpl_UpdateRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
-			Return(false, ctx, nil)
+			Return(false, nil)
 
 		result, err := manager.UpdateRecord(ctx, testAccountID, testUserID, zone.ID, updatedRecord)
 		require.Error(t, err)
@@ -470,7 +470,7 @@ func TestManagerImpl_UpdateRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		result, err := manager.UpdateRecord(ctx, testAccountID, testUserID, zone.ID, updatedRecord)
 		require.Error(t, err)
@@ -500,7 +500,7 @@ func TestManagerImpl_UpdateRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		result, err := manager.UpdateRecord(ctx, testAccountID, testUserID, zone.ID, updatedRecord)
 		require.Error(t, err)
@@ -523,7 +523,7 @@ func TestManagerImpl_DeleteRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Delete).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		storeEventCalled := false
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
@@ -549,7 +549,7 @@ func TestManagerImpl_DeleteRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Delete).
-			Return(false, ctx, nil)
+			Return(false, nil)
 
 		err := manager.DeleteRecord(ctx, testAccountID, testUserID, zone.ID, testRecordID)
 		require.Error(t, err)
@@ -565,7 +565,7 @@ func TestManagerImpl_DeleteRecord(t *testing.T) {
 
 		mockPermissionsManager.EXPECT().
 			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Delete).
-			Return(true, ctx, nil)
+			Return(true, nil)
 
 		err := manager.DeleteRecord(ctx, testAccountID, testUserID, zone.ID, "non-existent-record")
 		require.Error(t, err)

management/internals/server/server.go

@@ -34,8 +34,6 @@ const (
 	ManagementLegacyPort = 33073
 	// DefaultSelfHostedDomain is the default domain used for self-hosted fresh installs.
 	DefaultSelfHostedDomain = "netbird.selfhosted"
-
-	ContainerKeyBaseServer = "baseServer"
 )
 
 type Server interface {
@@ -93,7 +91,7 @@ type Config struct {
 
 // NewServer initializes and configures a new Server instance
 func NewServer(cfg *Config) *BaseServer {
-	s := &BaseServer{
+	return &BaseServer{
 		Config:                      cfg.NbConfig,
 		container:                   make(map[string]any),
 		dnsDomain:                   cfg.DNSDomain,
@@ -106,9 +104,6 @@ func NewServer(cfg *Config) *BaseServer {
 		mgmtMetricsPort:             cfg.MgmtMetricsPort,
 		autoResolveDomains:          cfg.AutoResolveDomains,
 	}
-	s.container[ContainerKeyBaseServer] = s
-
-	return s
 }
 
 func (s *BaseServer) AfterInit(fn func(s *BaseServer)) {

management/server/account.go

@@ -282,7 +282,7 @@ func (am *DefaultAccountManager) GetIdpManager() idp.Manager {
 // User that performs the update has to belong to the account.
 // Returns an updated Settings
 func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, accountID, userID string, newSettings *types.Settings) (*types.Settings, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Update)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Update)
 	if err != nil {
 		return nil, fmt.Errorf("failed to validate user permissions: %w", err)
 	}
@@ -855,7 +855,7 @@ func (am *DefaultAccountManager) DeleteAccount(ctx context.Context, accountID, u
 		return err
 	}
 
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Accounts, operations.Delete)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Accounts, operations.Delete)
 	if err != nil {
 		return fmt.Errorf("failed to validate user permissions: %w", err)
 	}
@@ -1422,7 +1422,7 @@ func (am *DefaultAccountManager) GetAccount(ctx context.Context, accountID strin
 
 // GetAccountByID returns an account associated with this account ID.
 func (am *DefaultAccountManager) GetAccountByID(ctx context.Context, accountID string, userID string) (*types.Account, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Accounts, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Accounts, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -1435,7 +1435,7 @@ func (am *DefaultAccountManager) GetAccountByID(ctx context.Context, accountID s
 
 // GetAccountMeta returns the account metadata associated with this account ID.
 func (am *DefaultAccountManager) GetAccountMeta(ctx context.Context, accountID string, userID string) (*types.AccountMeta, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Accounts, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Accounts, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -1448,7 +1448,7 @@ func (am *DefaultAccountManager) GetAccountMeta(ctx context.Context, accountID s
 
 // GetAccountOnboarding retrieves the onboarding information for a specific account.
 func (am *DefaultAccountManager) GetAccountOnboarding(ctx context.Context, accountID string, userID string) (*types.AccountOnboarding, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Accounts, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Accounts, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -1473,7 +1473,7 @@ func (am *DefaultAccountManager) GetAccountOnboarding(ctx context.Context, accou
 }
 
 func (am *DefaultAccountManager) UpdateAccountOnboarding(ctx context.Context, accountID, userID string, newOnboarding *types.AccountOnboarding) (*types.AccountOnboarding, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Update)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Update)
 	if err != nil {
 		return nil, fmt.Errorf("failed to validate user permissions: %w", err)
 	}
@@ -1540,8 +1540,7 @@ func (am *DefaultAccountManager) GetAccountIDFromUserAuth(ctx context.Context, u
 		return accountID, user.Id, nil
 	}
 
-	ctx, err = am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false)
-	if err != nil {
+	if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
 		return "", "", err
 	}
 
@@ -1987,7 +1986,7 @@ func (am *DefaultAccountManager) handleUserPeer(ctx context.Context, transaction
 }
 
 func (am *DefaultAccountManager) GetAccountSettings(ctx context.Context, accountID string, userID string) (*types.Settings, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -2555,7 +2554,7 @@ func (am *DefaultAccountManager) validateIPForUpdate(account *types.Account, pee
 }
 
 func (am *DefaultAccountManager) UpdatePeerIP(ctx context.Context, accountID, userID, peerID string, newIP netip.Addr) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Update)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Update)
 	if err != nil {
 		return fmt.Errorf("validate user permissions: %w", err)
 	}
@@ -2645,7 +2644,7 @@ func (am *DefaultAccountManager) savePeerIPUpdate(ctx context.Context, transacti
 // UpdatePeerIPv6 updates the IPv6 overlay address of a peer, validating it's
 // within the account's v6 network range and not already taken.
 func (am *DefaultAccountManager) UpdatePeerIPv6(ctx context.Context, accountID, userID, peerID string, newIPv6 netip.Addr) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Update)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Update)
 	if err != nil {
 		return fmt.Errorf("validate user permissions: %w", err)
 	}

management/server/context/keys.go

@@ -1,27 +1,10 @@
 package context
 
-import (
-	"context"
-
-	nbcontext "github.com/netbirdio/netbird/shared/context"
-)
+import "github.com/netbirdio/netbird/shared/context"
 
 const (
-	RequestIDKey = nbcontext.RequestIDKey
-	AccountIDKey = nbcontext.AccountIDKey
-	RoleKey      = nbcontext.RoleKey
-	UserIDKey    = nbcontext.UserIDKey
-	PeerIDKey    = nbcontext.PeerIDKey
+	RequestIDKey = context.RequestIDKey
+	AccountIDKey = context.AccountIDKey
+	UserIDKey    = context.UserIDKey
+	PeerIDKey    = context.PeerIDKey
 )
-
-// RoleFromContext returns the role stored in ctx, or empty string and false if absent.
-func RoleFromContext(ctx context.Context) (string, bool) {
-	role, ok := ctx.Value(RoleKey).(string)
-	return role, ok
-}
-
-// WithRole returns a new context carrying the given role.
-func WithRole(ctx context.Context, role string) context.Context {
-	//nolint
-	return context.WithValue(ctx, RoleKey, role)
-}

management/server/dns.go

@@ -22,7 +22,7 @@ const (
 
 // GetDNSSettings validates a user role and returns the DNS settings for the provided account ID
 func (am *DefaultAccountManager) GetDNSSettings(ctx context.Context, accountID string, userID string) (*types.DNSSettings, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -39,7 +39,7 @@ func (am *DefaultAccountManager) SaveDNSSettings(ctx context.Context, accountID
 		return status.Errorf(status.InvalidArgument, "the dns settings provided are nil")
 	}
 
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Update)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Update)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}

management/server/event.go

@@ -23,7 +23,7 @@ func isEnabled() bool {
 
 // GetEvents returns a list of activity events of an account
 func (am *DefaultAccountManager) GetEvents(ctx context.Context, accountID, userID string) ([]*activity.Event, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Events, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Events, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}

management/server/group.go

@@ -32,7 +32,7 @@ func (e *GroupLinkError) Error() string {
 
 // CheckGroupPermissions validates if a user has the necessary permissions to view groups
 func (am *DefaultAccountManager) CheckGroupPermissions(ctx context.Context, accountID, userID string) error {
-	allowed, _, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Read)
 	if err != nil {
 		return err
 	}
@@ -70,7 +70,7 @@ func (am *DefaultAccountManager) GetGroupByName(ctx context.Context, groupName,
 
 // CreateGroup object of the peers
 func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, userID string, newGroup *types.Group) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Create)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Create)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -125,7 +125,7 @@ func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, use
 
 // UpdateGroup object of the peers
 func (am *DefaultAccountManager) UpdateGroup(ctx context.Context, accountID, userID string, newGroup *types.Group) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Update)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Update)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -200,7 +200,7 @@ func (am *DefaultAccountManager) UpdateGroup(ctx context.Context, accountID, use
 // It is the caller's responsibility to ensure proper locking is in place before invoking this method.
 // This method will not create group peer membership relations. Use AddPeerToGroup or RemovePeerFromGroup methods for that.
 func (am *DefaultAccountManager) CreateGroups(ctx context.Context, accountID, userID string, groups []*types.Group) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Create)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Create)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -268,7 +268,7 @@ func (am *DefaultAccountManager) CreateGroups(ctx context.Context, accountID, us
 // It is the caller's responsibility to ensure proper locking is in place before invoking this method.
 // This method will not create group peer membership relations. Use AddPeerToGroup or RemovePeerFromGroup methods for that.
 func (am *DefaultAccountManager) UpdateGroups(ctx context.Context, accountID, userID string, groups []*types.Group) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Update)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Update)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -427,7 +427,7 @@ func (am *DefaultAccountManager) DeleteGroup(ctx context.Context, accountID, use
 // If an error occurs while deleting a group, the function skips it and continues deleting other groups.
 // Errors are collected and returned at the end.
 func (am *DefaultAccountManager) DeleteGroups(ctx context.Context, accountID, userID string, groupIDs []string) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Delete)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}

management/server/groups/manager.go

@@ -42,7 +42,7 @@ func NewManager(store store.Store, permissionsManager permissions.Manager, accou
 }
 
 func (m *managerImpl) GetAllGroups(ctx context.Context, accountID, userID string) ([]*types.Group, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Read)
 	if err != nil {
 		return nil, err
 	}
@@ -73,7 +73,7 @@ func (m *managerImpl) GetAllGroupsMap(ctx context.Context, accountID, userID str
 }
 
 func (m *managerImpl) AddResourceToGroup(ctx context.Context, accountID, userID, groupID string, resource *types.Resource) error {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Update)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Update)
 	if err != nil {
 		return err
 	}

management/server/http/handlers/peers/peers_handler.go

@@ -405,48 +405,48 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	allowed, ctx, err := h.permissionsManager.ValidateUserPermissions(r.Context(), accountID, userID, modules.Peers, operations.Read)
+	allowed, err := h.permissionsManager.ValidateUserPermissions(r.Context(), accountID, userID, modules.Peers, operations.Read)
 	if err != nil {
-		util.WriteError(ctx, status.NewPermissionValidationError(err), w)
+		util.WriteError(r.Context(), status.NewPermissionValidationError(err), w)
 		return
 	}
 
-	account, err := h.accountManager.GetAccountByID(ctx, accountID, activity.SystemInitiator)
+	account, err := h.accountManager.GetAccountByID(r.Context(), accountID, activity.SystemInitiator)
 	if err != nil {
-		util.WriteError(ctx, err, w)
+		util.WriteError(r.Context(), err, w)
 		return
 	}
 
 	if !allowed && !userAuth.IsChild {
 		if account.Settings.RegularUsersViewBlocked {
-			util.WriteJSONObject(ctx, w, []api.AccessiblePeer{})
+			util.WriteJSONObject(r.Context(), w, []api.AccessiblePeer{})
 			return
 		}
 
 		peer, ok := account.Peers[peerID]
 		if !ok {
-			util.WriteError(ctx, status.Errorf(status.NotFound, "peer not found"), w)
+			util.WriteError(r.Context(), status.Errorf(status.NotFound, "peer not found"), w)
 			return
 		}
 
 		if peer.UserID != user.Id {
-			util.WriteJSONObject(ctx, w, []api.AccessiblePeer{})
+			util.WriteJSONObject(r.Context(), w, []api.AccessiblePeer{})
 			return
 		}
 	}
 
-	validPeers, _, err := h.accountManager.GetValidatedPeers(ctx, accountID)
+	validPeers, _, err := h.accountManager.GetValidatedPeers(r.Context(), accountID)
 	if err != nil {
-		log.WithContext(ctx).Errorf("failed to list approved peers: %v", err)
-		util.WriteError(ctx, fmt.Errorf("internal error"), w)
+		log.WithContext(r.Context()).Errorf("failed to list approved peers: %v", err)
+		util.WriteError(r.Context(), fmt.Errorf("internal error"), w)
 		return
 	}
 
 	dnsDomain := h.networkMapController.GetDNSDomain(account.Settings)
 
-	netMap := account.GetPeerNetworkMapFromComponents(ctx, peerID, dns.CustomZone{}, nil, validPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil, account.GetActiveGroupUsers())
+	netMap := account.GetPeerNetworkMapFromComponents(r.Context(), peerID, dns.CustomZone{}, nil, validPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil, account.GetActiveGroupUsers())
 
-	util.WriteJSONObject(ctx, w, toAccessiblePeers(netMap, dnsDomain))
+	util.WriteJSONObject(r.Context(), w, toAccessiblePeers(netMap, dnsDomain))
 }
 
 func (h *Handler) CreateTemporaryAccess(w http.ResponseWriter, r *http.Request) {

management/server/http/handlers/peers/peers_handler_test.go

@@ -116,15 +116,15 @@ func initTestMetaData(t *testing.T, peers ...*nbpeer.Peer) *Handler {
 
 	ctrl2 := gomock.NewController(t)
 	permissionsManager := permissions.NewMockManager(ctrl2)
-	permissionsManager.EXPECT().ValidateAccountAccess(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(context.Background(), nil).AnyTimes()
+	permissionsManager.EXPECT().ValidateAccountAccess(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes()
 	permissionsManager.EXPECT().
 		ValidateUserPermissions(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Eq(modules.Peers), gomock.Eq(operations.Read)).
-		DoAndReturn(func(ctx context.Context, accountID, userID string, module modules.Module, operation operations.Operation) (bool, context.Context, error) {
+		DoAndReturn(func(ctx context.Context, accountID, userID string, module modules.Module, operation operations.Operation) (bool, error) {
 			user, ok := account.Users[userID]
 			if !ok {
-				return false, ctx, fmt.Errorf("user not found")
+				return false, fmt.Errorf("user not found")
 			}
-			return user.HasAdminPower() || user.IsServiceUser, ctx, nil
+			return user.HasAdminPower() || user.IsServiceUser, nil
 		}).
 		AnyTimes()
 

management/server/http/handlers/policies/geolocation_handler_test.go

@@ -51,7 +51,7 @@ func initGeolocationTestData(t *testing.T) *geolocationsHandler {
 	permissionsManagerMock.
 		EXPECT().
 		ValidateUserPermissions(gomock.Any(), gomock.Any(), gomock.Any(), modules.Policies, operations.Read).
-		Return(true, context.Background(), nil).
+		Return(true, nil).
 		AnyTimes()
 
 	return &geolocationsHandler{

management/server/identity_provider.go

@@ -88,7 +88,7 @@ func validateIdentityProviderConfig(ctx context.Context, idpConfig *types.Identi
 
 // GetIdentityProviders returns all identity providers for an account
 func (am *DefaultAccountManager) GetIdentityProviders(ctx context.Context, accountID, userID string) ([]*types.IdentityProvider, error) {
-	ok, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.IdentityProviders, operations.Read)
+	ok, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.IdentityProviders, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -117,7 +117,7 @@ func (am *DefaultAccountManager) GetIdentityProviders(ctx context.Context, accou
 
 // GetIdentityProvider returns a specific identity provider by ID
 func (am *DefaultAccountManager) GetIdentityProvider(ctx context.Context, accountID, idpID, userID string) (*types.IdentityProvider, error) {
-	ok, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.IdentityProviders, operations.Read)
+	ok, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.IdentityProviders, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -143,7 +143,7 @@ func (am *DefaultAccountManager) GetIdentityProvider(ctx context.Context, accoun
 
 // CreateIdentityProvider creates a new identity provider
 func (am *DefaultAccountManager) CreateIdentityProvider(ctx context.Context, accountID, userID string, idpConfig *types.IdentityProvider) (*types.IdentityProvider, error) {
-	ok, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.IdentityProviders, operations.Create)
+	ok, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.IdentityProviders, operations.Create)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -180,7 +180,7 @@ func (am *DefaultAccountManager) CreateIdentityProvider(ctx context.Context, acc
 
 // UpdateIdentityProvider updates an existing identity provider
 func (am *DefaultAccountManager) UpdateIdentityProvider(ctx context.Context, accountID, idpID, userID string, idpConfig *types.IdentityProvider) (*types.IdentityProvider, error) {
-	ok, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.IdentityProviders, operations.Update)
+	ok, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.IdentityProviders, operations.Update)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -213,7 +213,7 @@ func (am *DefaultAccountManager) UpdateIdentityProvider(ctx context.Context, acc
 
 // DeleteIdentityProvider deletes an identity provider
 func (am *DefaultAccountManager) DeleteIdentityProvider(ctx context.Context, accountID, idpID, userID string) error {
-	ok, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.IdentityProviders, operations.Delete)
+	ok, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.IdentityProviders, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}

management/server/nameserver.go

@@ -23,7 +23,7 @@ var errInvalidDomainName = errors.New("invalid domain name")
 
 // GetNameServerGroup gets a nameserver group object from account and nameserver group IDs
 func (am *DefaultAccountManager) GetNameServerGroup(ctx context.Context, accountID, userID, nsGroupID string) (*nbdns.NameServerGroup, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Nameservers, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Nameservers, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -36,7 +36,7 @@ func (am *DefaultAccountManager) GetNameServerGroup(ctx context.Context, account
 
 // CreateNameServerGroup creates and saves a new nameserver group
 func (am *DefaultAccountManager) CreateNameServerGroup(ctx context.Context, accountID string, name, description string, nameServerList []nbdns.NameServer, groups []string, primary bool, domains []string, enabled bool, userID string, searchDomainEnabled bool) (*nbdns.NameServerGroup, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Nameservers, operations.Create)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Nameservers, operations.Create)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -94,7 +94,7 @@ func (am *DefaultAccountManager) SaveNameServerGroup(ctx context.Context, accoun
 		return status.Errorf(status.InvalidArgument, "nameserver group provided is nil")
 	}
 
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Nameservers, operations.Update)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Nameservers, operations.Update)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -141,7 +141,7 @@ func (am *DefaultAccountManager) SaveNameServerGroup(ctx context.Context, accoun
 
 // DeleteNameServerGroup deletes nameserver group with nsGroupID
 func (am *DefaultAccountManager) DeleteNameServerGroup(ctx context.Context, accountID, nsGroupID, userID string) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Nameservers, operations.Delete)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Nameservers, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -184,7 +184,7 @@ func (am *DefaultAccountManager) DeleteNameServerGroup(ctx context.Context, acco
 
 // ListNameServerGroups returns a list of nameserver groups from account
 func (am *DefaultAccountManager) ListNameServerGroups(ctx context.Context, accountID string, userID string) ([]*nbdns.NameServerGroup, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Nameservers, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Nameservers, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}

management/server/networks/manager.go

@@ -49,7 +49,7 @@ func NewManager(store store.Store, permissionsManager permissions.Manager, resou
 }
 
 func (m *managerImpl) GetAllNetworks(ctx context.Context, accountID, userID string) ([]*types.Network, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -61,7 +61,7 @@ func (m *managerImpl) GetAllNetworks(ctx context.Context, accountID, userID stri
 }
 
 func (m *managerImpl) CreateNetwork(ctx context.Context, userID string, network *types.Network) (*types.Network, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, network.AccountID, userID, modules.Networks, operations.Create)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, network.AccountID, userID, modules.Networks, operations.Create)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -82,7 +82,7 @@ func (m *managerImpl) CreateNetwork(ctx context.Context, userID string, network
 }
 
 func (m *managerImpl) GetNetwork(ctx context.Context, accountID, userID, networkID string) (*types.Network, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -94,7 +94,7 @@ func (m *managerImpl) GetNetwork(ctx context.Context, accountID, userID, network
 }
 
 func (m *managerImpl) UpdateNetwork(ctx context.Context, userID string, network *types.Network) (*types.Network, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, network.AccountID, userID, modules.Networks, operations.Update)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, network.AccountID, userID, modules.Networks, operations.Update)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -113,7 +113,7 @@ func (m *managerImpl) UpdateNetwork(ctx context.Context, userID string, network
 }
 
 func (m *managerImpl) DeleteNetwork(ctx context.Context, accountID, userID, networkID string) error {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Delete)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}

management/server/networks/resources/manager.go

@@ -54,7 +54,7 @@ func NewManager(store store.Store, permissionsManager permissions.Manager, group
 }
 
 func (m *managerImpl) GetAllResourcesInNetwork(ctx context.Context, accountID, userID, networkID string) ([]*types.NetworkResource, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -66,7 +66,7 @@ func (m *managerImpl) GetAllResourcesInNetwork(ctx context.Context, accountID, u
 }
 
 func (m *managerImpl) GetAllResourcesInAccount(ctx context.Context, accountID, userID string) ([]*types.NetworkResource, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -78,7 +78,7 @@ func (m *managerImpl) GetAllResourcesInAccount(ctx context.Context, accountID, u
 }
 
 func (m *managerImpl) GetAllResourceIDsInAccount(ctx context.Context, accountID, userID string) (map[string][]string, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -100,7 +100,7 @@ func (m *managerImpl) GetAllResourceIDsInAccount(ctx context.Context, accountID,
 }
 
 func (m *managerImpl) CreateResource(ctx context.Context, userID string, resource *types.NetworkResource) (*types.NetworkResource, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, resource.AccountID, userID, modules.Networks, operations.Create)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, resource.AccountID, userID, modules.Networks, operations.Create)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -168,7 +168,7 @@ func (m *managerImpl) CreateResource(ctx context.Context, userID string, resourc
 }
 
 func (m *managerImpl) GetResource(ctx context.Context, accountID, userID, networkID, resourceID string) (*types.NetworkResource, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -189,7 +189,7 @@ func (m *managerImpl) GetResource(ctx context.Context, accountID, userID, networ
 }
 
 func (m *managerImpl) UpdateResource(ctx context.Context, userID string, resource *types.NetworkResource) (*types.NetworkResource, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, resource.AccountID, userID, modules.Networks, operations.Update)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, resource.AccountID, userID, modules.Networks, operations.Update)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -314,7 +314,7 @@ func (m *managerImpl) updateResourceGroups(ctx context.Context, transaction stor
 }
 
 func (m *managerImpl) DeleteResource(ctx context.Context, accountID, userID, networkID, resourceID string) error {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Delete)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}

management/server/networks/routers/manager.go

@@ -47,7 +47,7 @@ func NewManager(store store.Store, permissionsManager permissions.Manager, accou
 }
 
 func (m *managerImpl) GetAllRoutersInNetwork(ctx context.Context, accountID, userID, networkID string) ([]*types.NetworkRouter, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -59,7 +59,7 @@ func (m *managerImpl) GetAllRoutersInNetwork(ctx context.Context, accountID, use
 }
 
 func (m *managerImpl) GetAllRoutersInAccount(ctx context.Context, accountID, userID string) (map[string][]*types.NetworkRouter, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -81,7 +81,7 @@ func (m *managerImpl) GetAllRoutersInAccount(ctx context.Context, accountID, use
 }
 
 func (m *managerImpl) CreateRouter(ctx context.Context, userID string, router *types.NetworkRouter) (*types.NetworkRouter, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, router.AccountID, userID, modules.Networks, operations.Create)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, router.AccountID, userID, modules.Networks, operations.Create)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -126,7 +126,7 @@ func (m *managerImpl) CreateRouter(ctx context.Context, userID string, router *t
 }
 
 func (m *managerImpl) GetRouter(ctx context.Context, accountID, userID, networkID, routerID string) (*types.NetworkRouter, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -147,7 +147,7 @@ func (m *managerImpl) GetRouter(ctx context.Context, accountID, userID, networkI
 }
 
 func (m *managerImpl) UpdateRouter(ctx context.Context, userID string, router *types.NetworkRouter) (*types.NetworkRouter, error) {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, router.AccountID, userID, modules.Networks, operations.Update)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, router.AccountID, userID, modules.Networks, operations.Update)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -199,7 +199,7 @@ func (m *managerImpl) UpdateRouter(ctx context.Context, userID string, router *t
 }
 
 func (m *managerImpl) DeleteRouter(ctx context.Context, accountID, userID, networkID, routerID string) error {
-	ok, ctx, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Delete)
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Networks, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}

management/server/peer.go

@@ -42,7 +42,7 @@ func (am *DefaultAccountManager) GetPeers(ctx context.Context, accountID, userID
 		return nil, err
 	}
 
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -209,7 +209,7 @@ func (am *DefaultAccountManager) updatePeerLocationIfChanged(ctx context.Context
 
 // UpdatePeer updates peer. Only Peer.Name, Peer.SSHEnabled, Peer.LoginExpirationEnabled and Peer.InactivityExpirationEnabled can be updated.
 func (am *DefaultAccountManager) UpdatePeer(ctx context.Context, accountID, userID string, update *nbpeer.Peer) (*nbpeer.Peer, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Update)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Update)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -354,7 +354,7 @@ func (am *DefaultAccountManager) UpdatePeer(ctx context.Context, accountID, user
 }
 
 func (am *DefaultAccountManager) CreatePeerJob(ctx context.Context, accountID, peerID, userID string, job *types.Job) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.RemoteJobs, operations.Create)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.RemoteJobs, operations.Create)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -430,7 +430,7 @@ func (am *DefaultAccountManager) CreatePeerJob(ctx context.Context, accountID, p
 
 func (am *DefaultAccountManager) GetAllPeerJobs(ctx context.Context, accountID, userID, peerID string) ([]*types.Job, error) {
 	// todo: Create permissions for job
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.RemoteJobs, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.RemoteJobs, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -456,7 +456,7 @@ func (am *DefaultAccountManager) GetAllPeerJobs(ctx context.Context, accountID,
 }
 
 func (am *DefaultAccountManager) GetPeerJobByID(ctx context.Context, accountID, userID, peerID, jobID string) (*types.Job, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.RemoteJobs, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.RemoteJobs, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -483,7 +483,7 @@ func (am *DefaultAccountManager) GetPeerJobByID(ctx context.Context, accountID,
 
 // DeletePeer removes peer from the account by its IP
 func (am *DefaultAccountManager) DeletePeer(ctx context.Context, accountID, peerID, userID string) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Delete)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -643,7 +643,7 @@ func (am *DefaultAccountManager) handleUserAddedPeer(ctx context.Context, accoun
 	}
 
 	if temporary {
-		allowed, _, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Create)
+		allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Create)
 		if err != nil {
 			return status.NewPermissionValidationError(err)
 		}
@@ -1379,7 +1379,7 @@ func (am *DefaultAccountManager) GetPeer(ctx context.Context, accountID, peerID,
 		return nil, err
 	}
 
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}

management/server/permissions/manager.go

@@ -9,7 +9,6 @@ import (
 
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
-	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/permissions/roles"
@@ -19,9 +18,9 @@ import (
 )
 
 type Manager interface {
-	ValidateUserPermissions(ctx context.Context, accountID, userID string, module modules.Module, operation operations.Operation) (bool, context.Context, error)
+	ValidateUserPermissions(ctx context.Context, accountID, userID string, module modules.Module, operation operations.Operation) (bool, error)
 	ValidateRoleModuleAccess(ctx context.Context, accountID string, role roles.RolePermissions, module modules.Module, operation operations.Operation) bool
-	ValidateAccountAccess(ctx context.Context, accountID string, user *types.User, allowOwnerAndAdmin bool) (context.Context, error)
+	ValidateAccountAccess(ctx context.Context, accountID string, user *types.User, allowOwnerAndAdmin bool) error
 
 	GetPermissionsByRole(ctx context.Context, role types.UserRole) (roles.Permissions, error)
 	SetAccountManager(accountManager account.Manager)
@@ -43,43 +42,42 @@ func (m *managerImpl) ValidateUserPermissions(
 	userID string,
 	module modules.Module,
 	operation operations.Operation,
-) (bool, context.Context, error) {
+) (bool, error) {
 	if userID == activity.SystemInitiator {
-		return true, ctx, nil
+		return true, nil
 	}
 
 	user, err := m.store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
 	if err != nil {
-		return false, ctx, err
+		return false, err
 	}
 
 	if user == nil {
-		return false, ctx, status.NewUserNotFoundError(userID)
+		return false, status.NewUserNotFoundError(userID)
 	}
 
 	if user.IsBlocked() && !user.PendingApproval {
-		return false, ctx, status.NewUserBlockedError()
+		return false, status.NewUserBlockedError()
 	}
 
 	if user.IsBlocked() && user.PendingApproval {
-		return false, ctx, status.NewUserPendingApprovalError()
+		return false, status.NewUserPendingApprovalError()
 	}
 
-	ctxEnriched, err := m.ValidateAccountAccess(ctx, accountID, user, false)
-	if err != nil {
-		return false, ctx, err
+	if err := m.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
+		return false, err
 	}
 
 	if operation == operations.Read && user.IsServiceUser {
-		return true, ctxEnriched, nil // this should be replaced by proper granular access role
+		return true, nil // this should be replaced by proper granular access role
 	}
 
 	role, ok := roles.RolesMap[user.Role]
 	if !ok {
-		return false, ctxEnriched, status.NewUserRoleNotFoundError(string(user.Role))
+		return false, status.NewUserRoleNotFoundError(string(user.Role))
 	}
 
-	return m.ValidateRoleModuleAccess(ctx, accountID, role, module, operation), ctxEnriched, nil
+	return m.ValidateRoleModuleAccess(ctx, accountID, role, module, operation), nil
 }
 
 func (m *managerImpl) ValidateRoleModuleAccess(
@@ -100,14 +98,11 @@ func (m *managerImpl) ValidateRoleModuleAccess(
 	return role.AutoAllowNew[operation]
 }
 
-func (m *managerImpl) ValidateAccountAccess(ctx context.Context, accountID string, user *types.User, allowOwnerAndAdmin bool) (context.Context, error) {
+func (m *managerImpl) ValidateAccountAccess(ctx context.Context, accountID string, user *types.User, allowOwnerAndAdmin bool) error {
 	if user.AccountID != accountID {
-		return ctx, status.NewUserNotPartOfAccountError()
+		return status.NewUserNotPartOfAccountError()
 	}
-
-	ctx = nbcontext.WithRole(ctx, string(user.Role))
-
-	return ctx, nil
+	return nil
 }
 
 func (m *managerImpl) GetPermissionsByRole(ctx context.Context, role types.UserRole) (roles.Permissions, error) {

management/server/permissions/manager_mock.go

@@ -67,12 +67,11 @@ func (mr *MockManagerMockRecorder) SetAccountManager(accountManager interface{})
 }
 
 // ValidateAccountAccess mocks base method.
-func (m *MockManager) ValidateAccountAccess(ctx context.Context, accountID string, user *types.User, allowOwnerAndAdmin bool) (context.Context, error) {
+func (m *MockManager) ValidateAccountAccess(ctx context.Context, accountID string, user *types.User, allowOwnerAndAdmin bool) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "ValidateAccountAccess", ctx, accountID, user, allowOwnerAndAdmin)
-	ret0, _ := ret[0].(context.Context)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
+	ret0, _ := ret[0].(error)
+	return ret0
 }
 
 // ValidateAccountAccess indicates an expected call of ValidateAccountAccess.
@@ -96,13 +95,12 @@ func (mr *MockManagerMockRecorder) ValidateRoleModuleAccess(ctx, accountID, role
 }
 
 // ValidateUserPermissions mocks base method.
-func (m *MockManager) ValidateUserPermissions(ctx context.Context, accountID, userID string, module modules.Module, operation operations.Operation) (bool, context.Context, error) {
+func (m *MockManager) ValidateUserPermissions(ctx context.Context, accountID, userID string, module modules.Module, operation operations.Operation) (bool, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "ValidateUserPermissions", ctx, accountID, userID, module, operation)
 	ret0, _ := ret[0].(bool)
-	ret1, _ := ret[1].(context.Context)
-	ret2, _ := ret[2].(error)
-	return ret0, ret1, ret2
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
 }
 
 // ValidateUserPermissions indicates an expected call of ValidateUserPermissions.

management/server/policy.go

@@ -19,7 +19,7 @@ import (
 
 // GetPolicy from the store
 func (am *DefaultAccountManager) GetPolicy(ctx context.Context, accountID, policyID, userID string) (*types.Policy, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -36,7 +36,7 @@ func (am *DefaultAccountManager) SavePolicy(ctx context.Context, accountID, user
 	if !create {
 		operation = operations.Update
 	}
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operation)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operation)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -108,7 +108,7 @@ func (am *DefaultAccountManager) SavePolicy(ctx context.Context, accountID, user
 
 // DeletePolicy from the store
 func (am *DefaultAccountManager) DeletePolicy(ctx context.Context, accountID, policyID, userID string) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operations.Delete)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -151,7 +151,7 @@ func (am *DefaultAccountManager) DeletePolicy(ctx context.Context, accountID, po
 
 // ListPolicies from the store.
 func (am *DefaultAccountManager) ListPolicies(ctx context.Context, accountID, userID string) ([]*types.Policy, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}

management/server/posture_checks.go

@@ -16,7 +16,7 @@ import (
 )
 
 func (am *DefaultAccountManager) GetPostureChecks(ctx context.Context, accountID, postureChecksID, userID string) (*posture.Checks, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -33,7 +33,7 @@ func (am *DefaultAccountManager) SavePostureChecks(ctx context.Context, accountI
 	if !create {
 		operation = operations.Update
 	}
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operation)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operation)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -89,7 +89,7 @@ func (am *DefaultAccountManager) SavePostureChecks(ctx context.Context, accountI
 
 // DeletePostureChecks deletes a posture check by ID.
 func (am *DefaultAccountManager) DeletePostureChecks(ctx context.Context, accountID, postureChecksID, userID string) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operations.Delete)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -126,7 +126,7 @@ func (am *DefaultAccountManager) DeletePostureChecks(ctx context.Context, accoun
 
 // ListPostureChecks returns a list of posture checks.
 func (am *DefaultAccountManager) ListPostureChecks(ctx context.Context, accountID, userID string) ([]*posture.Checks, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}

management/server/route.go

@@ -21,7 +21,7 @@ import (
 
 // GetRoute gets a route object from account and route IDs
 func (am *DefaultAccountManager) GetRoute(ctx context.Context, accountID string, routeID route.ID, userID string) (*route.Route, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -134,7 +134,7 @@ func getRouteDescriptor(prefix netip.Prefix, domains domain.List) string {
 
 // CreateRoute creates and saves a new route
 func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroupIDs []string, description string, netID route.NetID, masquerade bool, metric int, groups, accessControlGroupIDs []string, enabled bool, userID string, keepRoute bool, skipAutoApply bool) (*route.Route, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Create)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Create)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -199,7 +199,7 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri
 
 // SaveRoute saves route
 func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userID string, routeToSave *route.Route) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Update)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Update)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -253,7 +253,7 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI
 
 // DeleteRoute deletes route with routeID
 func (am *DefaultAccountManager) DeleteRoute(ctx context.Context, accountID string, routeID route.ID, userID string) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Delete)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -296,7 +296,7 @@ func (am *DefaultAccountManager) DeleteRoute(ctx context.Context, accountID stri
 
 // ListRoutes returns a list of routes from account
 func (am *DefaultAccountManager) ListRoutes(ctx context.Context, accountID, userID string) ([]*route.Route, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}

management/server/settings/manager.go

@@ -59,7 +59,7 @@ func (m *managerImpl) GetExtraSettingsManager() extra_settings.Manager {
 
 func (m *managerImpl) GetSettings(ctx context.Context, accountID, userID string) (*types.Settings, error) {
 	if userID != activity.SystemInitiator {
-		ok, _, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Read)
+		ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Read)
 		if err != nil {
 			return nil, status.NewPermissionValidationError(err)
 		}

management/server/setupkey.go

@@ -56,7 +56,7 @@ type SetupKeyUpdateOperation struct {
 func (am *DefaultAccountManager) CreateSetupKey(ctx context.Context, accountID string, keyName string, keyType types.SetupKeyType,
 	expiresIn time.Duration, autoGroups []string, usageLimit int, userID string, ephemeral bool, allowExtraDNSLabels bool) (*types.SetupKey, error) {
 
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.SetupKeys, operations.Create)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.SetupKeys, operations.Create)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -105,7 +105,7 @@ func (am *DefaultAccountManager) SaveSetupKey(ctx context.Context, accountID str
 		return nil, status.Errorf(status.InvalidArgument, "provided setup key to update is nil")
 	}
 
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.SetupKeys, operations.Update)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.SetupKeys, operations.Update)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -162,7 +162,7 @@ func (am *DefaultAccountManager) SaveSetupKey(ctx context.Context, accountID str
 
 // ListSetupKeys returns a list of all setup keys of the account
 func (am *DefaultAccountManager) ListSetupKeys(ctx context.Context, accountID, userID string) ([]*types.SetupKey, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.SetupKeys, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.SetupKeys, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -175,7 +175,7 @@ func (am *DefaultAccountManager) ListSetupKeys(ctx context.Context, accountID, u
 
 // GetSetupKey looks up a SetupKey by KeyID, returns NotFound error if not found.
 func (am *DefaultAccountManager) GetSetupKey(ctx context.Context, accountID, userID, keyID string) (*types.SetupKey, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.SetupKeys, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.SetupKeys, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -198,7 +198,7 @@ func (am *DefaultAccountManager) GetSetupKey(ctx context.Context, accountID, use
 
 // DeleteSetupKey removes the setup key from the account
 func (am *DefaultAccountManager) DeleteSetupKey(ctx context.Context, accountID, userID, keyID string) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.SetupKeys, operations.Delete)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.SetupKeys, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}

management/server/user.go

@@ -31,7 +31,7 @@ import (
 
 // createServiceUser creates a new service user under the given account.
 func (am *DefaultAccountManager) createServiceUser(ctx context.Context, accountID string, initiatorUserID string, role types.UserRole, serviceUserName string, nonDeletable bool, autoGroups []string) (*types.UserInfo, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Create)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Create)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -86,7 +86,7 @@ func (am *DefaultAccountManager) inviteNewUser(ctx context.Context, accountID, u
 		return nil, err
 	}
 
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Users, operations.Create)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Users, operations.Create)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -307,7 +307,7 @@ func (am *DefaultAccountManager) DeleteUser(ctx context.Context, accountID, init
 		return err
 	}
 
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Delete)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -357,7 +357,7 @@ func (am *DefaultAccountManager) InviteUser(ctx context.Context, accountID strin
 		return status.Errorf(status.PreconditionFailed, "IdP manager must be enabled to send user invites")
 	}
 
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Create)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Create)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -401,7 +401,7 @@ func (am *DefaultAccountManager) CreatePAT(ctx context.Context, accountID string
 		return nil, status.Errorf(status.InvalidArgument, "expiration has to be between %d and %d", account.PATMinExpireDays, account.PATMaxExpireDays)
 	}
 
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Pats, operations.Create)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Pats, operations.Create)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -445,7 +445,7 @@ func (am *DefaultAccountManager) CreatePAT(ctx context.Context, accountID string
 
 // DeletePAT deletes a specific PAT from a user
 func (am *DefaultAccountManager) DeletePAT(ctx context.Context, accountID string, initiatorUserID string, targetUserID string, tokenID string) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Pats, operations.Delete)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Pats, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -488,7 +488,7 @@ func (am *DefaultAccountManager) DeletePAT(ctx context.Context, accountID string
 
 // GetPAT returns a specific PAT from a user
 func (am *DefaultAccountManager) GetPAT(ctx context.Context, accountID string, initiatorUserID string, targetUserID string, tokenID string) (*types.PersonalAccessToken, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Pats, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Pats, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -519,7 +519,7 @@ func (am *DefaultAccountManager) GetPAT(ctx context.Context, accountID string, i
 
 // GetAllPATs returns all PATs for a user
 func (am *DefaultAccountManager) GetAllPATs(ctx context.Context, accountID string, initiatorUserID string, targetUserID string) ([]*types.PersonalAccessToken, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Pats, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Pats, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -576,7 +576,7 @@ func (am *DefaultAccountManager) SaveOrAddUsers(ctx context.Context, accountID,
 		return nil, nil //nolint:nilnil
 	}
 
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Create) // TODO: split by Create and Update
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Create) // TODO: split by Create and Update
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -610,11 +610,6 @@ func (am *DefaultAccountManager) SaveOrAddUsers(ctx context.Context, accountID,
 			return nil, err
 		}
 		initiatorUser = result
-		role, ok := nbcontext.RoleFromContext(ctx)
-		if !ok {
-			return nil, status.Errorf(status.Internal, "failed to get user role from context")
-		}
-		initiatorUser.Role = types.UserRole(role)
 	}
 
 	var globalErr error
@@ -760,6 +755,19 @@ func (am *DefaultAccountManager) processUserUpdate(ctx context.Context, transact
 		return false, nil, nil, nil, status.Errorf(status.InvalidArgument, "provided user update is nil")
 	}
 
+	if initiatorUserId != activity.SystemInitiator {
+		freshInitiator, err := transaction.GetUserByUserID(ctx, store.LockingStrengthUpdate, initiatorUserId)
+		if err != nil {
+			return false, nil, nil, nil, fmt.Errorf("failed to re-read initiator user in transaction: %w", err)
+		}
+
+		// Ensure the initiator still has admin privileges
+		if !freshInitiator.HasAdminPower() {
+			return false, nil, nil, nil, status.Errorf(status.PermissionDenied, "initiator role was changed during request processing")
+		}
+		initiatorUser = freshInitiator
+	}
+
 	oldUser, isNewUser, err := getUserOrCreateIfNotExists(ctx, transaction, accountID, update, addIfNotExists)
 	if err != nil {
 		return false, nil, nil, nil, err
@@ -980,7 +988,7 @@ func (am *DefaultAccountManager) GetOrCreateAccountByUser(ctx context.Context, u
 // GetUsersFromAccount performs a batched request for users from IDP by account ID apply filter on what data to return
 // based on provided user role.
 func (am *DefaultAccountManager) GetUsersFromAccount(ctx context.Context, accountID, initiatorUserID string) (map[string]*types.UserInfo, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -1197,7 +1205,7 @@ func (am *DefaultAccountManager) deleteUserFromIDP(ctx context.Context, targetUs
 // If an error occurs while deleting the user, the function skips it and continues deleting other users.
 // Errors are collected and returned at the end.
 func (am *DefaultAccountManager) DeleteRegularUsers(ctx context.Context, accountID, initiatorUserID string, targetUserIDs []string, userInfos map[string]*types.UserInfo) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Delete)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -1395,8 +1403,7 @@ func (am *DefaultAccountManager) GetCurrentUserInfo(ctx context.Context, userAut
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	ctx, err = am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false)
-	if err != nil {
+	if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
 		return nil, err
 	}
 
@@ -1425,7 +1432,7 @@ func (am *DefaultAccountManager) GetCurrentUserInfo(ctx context.Context, userAut
 
 // ApproveUser approves a user that is pending approval
 func (am *DefaultAccountManager) ApproveUser(ctx context.Context, accountID, initiatorUserID, targetUserID string) (*types.UserInfo, error) {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Update)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Update)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -1466,7 +1473,7 @@ func (am *DefaultAccountManager) ApproveUser(ctx context.Context, accountID, ini
 
 // RejectUser rejects a user that is pending approval by deleting them
 func (am *DefaultAccountManager) RejectUser(ctx context.Context, accountID, initiatorUserID, targetUserID string) error {
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Delete)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}
@@ -1512,7 +1519,7 @@ func (am *DefaultAccountManager) CreateUserInvite(ctx context.Context, accountID
 		return nil, err
 	}
 
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Create)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Create)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -1630,7 +1637,7 @@ func (am *DefaultAccountManager) ListUserInvites(ctx context.Context, accountID,
 		return nil, status.Errorf(status.PreconditionFailed, "invite links are only available with embedded identity provider")
 	}
 
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Read)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Read)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -1744,7 +1751,7 @@ func (am *DefaultAccountManager) RegenerateUserInvite(ctx context.Context, accou
 		return nil, status.Errorf(status.PreconditionFailed, "invite links are only available with embedded identity provider")
 	}
 
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Update)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Update)
 	if err != nil {
 		return nil, status.NewPermissionValidationError(err)
 	}
@@ -1806,7 +1813,7 @@ func (am *DefaultAccountManager) DeleteUserInvite(ctx context.Context, accountID
 		return status.Errorf(status.PreconditionFailed, "invite links are only available with embedded identity provider")
 	}
 
-	allowed, ctx, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Delete)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, initiatorUserID, modules.Users, operations.Delete)
 	if err != nil {
 		return status.NewPermissionValidationError(err)
 	}

management/server/user_test.go

@@ -2129,3 +2129,66 @@ func TestUser_Operations_WithEmbeddedIDP(t *testing.T) {
 		t.Logf("Duplicate email error: %v", err)
 	})
 }
+
+func TestProcessUserUpdate_RejectsStaleInitiatorRole(t *testing.T) {
+	s, cleanup, err := store.NewTestStoreFromSQL(context.Background(), "", t.TempDir())
+	require.NoError(t, err)
+	t.Cleanup(cleanup)
+
+	account := newAccountWithId(context.Background(), "account1", "owner1", "", "", "", false)
+
+	adminID := "admin1"
+	account.Users[adminID] = types.NewAdminUser(adminID)
+
+	targetID := "target1"
+	account.Users[targetID] = types.NewRegularUser(targetID, "", "")
+
+	require.NoError(t, s.SaveAccount(context.Background(), account))
+
+	demotedAdmin, err := s.GetUserByUserID(context.Background(), store.LockingStrengthNone, adminID)
+	require.NoError(t, err)
+	demotedAdmin.Role = types.UserRoleUser
+	require.NoError(t, s.SaveUser(context.Background(), demotedAdmin))
+
+	staleInitiator := &types.User{
+		Id:        adminID,
+		AccountID: account.Id,
+		Role:      types.UserRoleAdmin,
+	}
+
+	permissionsManager := permissions.NewManager(s)
+	am := DefaultAccountManager{
+		Store:              s,
+		eventStore:         &activity.InMemoryEventStore{},
+		permissionsManager: permissionsManager,
+	}
+
+	settings, err := s.GetAccountSettings(context.Background(), store.LockingStrengthNone, account.Id)
+	require.NoError(t, err)
+
+	groups, err := s.GetAccountGroups(context.Background(), store.LockingStrengthNone, account.Id)
+	require.NoError(t, err)
+	groupsMap := make(map[string]*types.Group, len(groups))
+	for _, g := range groups {
+		groupsMap[g.ID] = g
+	}
+
+	update := &types.User{
+		Id:   targetID,
+		Role: types.UserRoleAdmin,
+	}
+
+	err = s.ExecuteInTransaction(context.Background(), func(tx store.Store) error {
+		_, _, _, _, txErr := am.processUserUpdate(
+			context.Background(), tx, groupsMap, account.Id, adminID, staleInitiator, update, false, settings,
+		)
+		return txErr
+	})
+
+	require.Error(t, err, "processUserUpdate should reject stale initiator whose role was demoted")
+	assert.Contains(t, err.Error(), "initiator role was changed during request processing")
+
+	targetUser, err := s.GetUserByUserID(context.Background(), store.LockingStrengthNone, targetID)
+	require.NoError(t, err)
+	assert.Equal(t, types.UserRoleUser, targetUser.Role)
+}

shared/context/keys.go

@@ -3,7 +3,6 @@ package context
 const (
 	RequestIDKey = "requestID"
 	AccountIDKey = "accountID"
-	RoleKey      = "role"
 	UserIDKey    = "userID"
 	PeerIDKey    = "peerID"
 )

shared/management/client/client_test.go

@@ -17,8 +17,8 @@ import (
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 
-	ephemeral_manager "github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral/manager"
 	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"
+	ephemeral_manager "github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral/manager"
 
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
@@ -89,7 +89,7 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
 			gomock.Any(),
 			gomock.Any(),
 		).
-		Return(true, context.Background(), nil).
+		Return(true, nil).
 		AnyTimes()
 
 	peersManger := peers.NewManager(store, permissionsManagerMock)

util/capture/text.go

@@ -13,8 +13,6 @@ import (
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/miekg/dns"
-
-	nbdns "github.com/netbirdio/netbird/dns"
 )
 
 // TextWriter writes human-readable one-line-per-packet summaries.
@@ -152,7 +150,7 @@ func (tw *TextWriter) writeUDP(timeStr string, dir Direction, info *packetInfo,
 	plen := len(udp.Payload)
 
 	// DNS replaces the entire line format
-	if plen > 0 && (isDNSPort(info.srcPort) || isDNSPort(info.dstPort)) {
+	if plen > 0 && isDNSPort(info.srcPort, info.dstPort) {
 		if s := formatDNSPayload(udp.Payload); s != "" {
 			var verbose string
 			if tw.verbose {
@@ -563,12 +561,8 @@ func findSNIExtension(body []byte, pos int) string {
 	return ""
 }
 
-func isDNSPort(p uint16) bool {
-	switch p {
-	case nbdns.DefaultDNSPort, nbdns.ForwarderClientPort, nbdns.ForwarderServerPort:
-		return true
-	}
-	return false
+func isDNSPort(src, dst uint16) bool {
+	return src == 53 || dst == 53 || src == 5353 || dst == 5353
 }
 
 // formatDNSPayload parses DNS and returns a tcpdump-style summary.