Merge branch 'main' into refactor/mgmt-bootstrap

build client config in sync response
2026-06-25 01:09:54 +00:00 · 2026-06-16 17:17:03 +03:00 · 2026-06-05 23:53:48 +03:00 · 2026-06-05 22:02:25 +03:00 · 2026-05-26 20:45:57 +03:00
162 changed files with 2335 additions and 6645 deletions
--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -20,7 +20,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@@ -59,12 +59,12 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Set up Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: true
--- a/.github/workflows/git-town.yml
+++ b/.github/workflows/git-town.yml
@@ -15,7 +15,7 @@ jobs:
      pull-requests: write

    steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - uses: git-town/action@3d8b878379abb1ee393fb49865a28b4a6c2cd3b0 # v1.2.1
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -16,12 +16,12 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -48,7 +48,7 @@ jobs:
        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -coverprofile=coverage.txt -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)

      - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f #v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: netbirdio/netbird
--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@@ -28,7 +28,7 @@ jobs:
        id: test
        env:
          GO_VERSION: ${{ steps.goversion.outputs.version }}
-        uses: vmactions/freebsd-vm@b84ab5559b5a1bb4b8ee2737d2506a16e1737636 # v1.4.8
+        uses: vmactions/freebsd-vm@d1e65811565151536c0c894fff74f06351ed26e6 # v1.4.5
        with:
          usesh: true
          copyback: false
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -18,7 +18,7 @@ jobs:
      management: ${{ steps.filter.outputs.management }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@@ -30,7 +30,7 @@ jobs:
              - 'management/**'

      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -119,12 +119,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -162,7 +162,7 @@ jobs:

      - name: Upload coverage reports to Codecov
        if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f #v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: netbirdio/netbird
@@ -175,12 +175,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -246,12 +246,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -290,7 +290,7 @@ jobs:

      - name: Upload coverage reports to Codecov
        if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f #v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: netbirdio/netbird
@@ -306,12 +306,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -347,7 +347,7 @@ jobs:

      - name: Upload coverage reports to Codecov
        if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f #v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: netbirdio/netbird
@@ -363,12 +363,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -407,7 +407,7 @@ jobs:

      - name: Upload coverage reports to Codecov
        if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f #v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: netbirdio/netbird
@@ -424,12 +424,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -484,7 +484,7 @@ jobs:

      - name: Upload coverage reports to Codecov
        if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f #v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: netbirdio/netbird
@@ -529,12 +529,12 @@ jobs:
            prom/prometheus

      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -623,12 +623,12 @@ jobs:
            prom/prometheus

      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -692,12 +692,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -734,7 +734,7 @@ jobs:

      - name: Upload coverage reports to Codecov
        if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f #v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: netbirdio/netbird
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -18,12 +18,12 @@ jobs:
    runs-on: windows-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        id: go
        with:
          go-version-file: "go.mod"
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: codespell
@@ -40,7 +40,7 @@ jobs:
    timeout-minutes: 15
    steps:
      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Check for duplicate constants
@@ -48,7 +48,7 @@ jobs:
        run: |
          ! awk '/const \(/,/)/{print $0}' management/server/activity/codes.go | grep -o '= [0-9]*' | sort | uniq -d | grep .
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
--- a/.github/workflows/install-script-test.yml
+++ b/.github/workflows/install-script-test.yml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

--- a/.github/workflows/mobile-build-validation.yml
+++ b/.github/workflows/mobile-build-validation.yml
@@ -16,11 +16,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
      - name: Setup Android SDK
@@ -28,7 +28,7 @@ jobs:
        with:
          cmdline-tools-version: 8512546
      - name: Setup Java
-        uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
        with:
          java-version: "11"
          distribution: "adopt"
@@ -54,11 +54,11 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
      - name: install gomobile
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,13 +9,10 @@ on:
  pull_request:

 env:
-  SIGN_PIPE_VER: "v0.1.6"
-  GORELEASER_VER: "v2.16.0"
+  SIGN_PIPE_VER: "v0.1.5"
+  GORELEASER_VER: "v2.14.3"
  PRODUCT_NAME: "NetBird"
  COPYRIGHT: "NetBird GmbH"
-  flags: ""
-  SKIP_PUBLISH: "true"
-  SKIP_DOCKER_PUSH: "false"

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -27,7 +24,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@@ -64,7 +61,7 @@ jobs:
        if: steps.check_diff.outputs.diff_exists == 'true'
        env:
          GO_VERSION: ${{ steps.goversion.outputs.version }}
-        uses: vmactions/freebsd-vm@b84ab5559b5a1bb4b8ee2737d2506a16e1737636 # v1.4.8
+        uses: vmactions/freebsd-vm@d1e65811565151536c0c894fff74f06351ed26e6 # v1.4.5
        with:
          usesh: true
          copyback: false
@@ -133,9 +130,11 @@ jobs:
      windows_packages_artifact_url: ${{ steps.upload_windows_packages.outputs.artifact-url }}
      macos_packages_artifact_url: ${{ steps.upload_macos_packages.outputs.artifact-url }}
      ghcr_images: ${{ steps.tag_and_push_images.outputs.images_markdown }}
+    env:
+      flags: ""
    steps:
      - name: Checkout
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
          persist-credentials: false
@@ -144,29 +143,10 @@ jobs:
        id: semver_parser
        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2

-      - name: Set snapshot flag
-        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
-        run: | 
-          echo "flags=--snapshot" >> $GITHUB_ENV
-
-      - name: Set build vars
-        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-        run: |
-          if [[ "x-${{ steps.semver_parser.outputs.prerelease }}" == "x-" && "x-${{ github.repository }}" == "x-netbirdio/netbird" ]]; then
-            echo "x-${{ github.repository }}" 
-            echo "x-${{ steps.semver_parser.outputs.prerelease }}"
-            echo "SKIP_PUBLISH=false" >> $GITHUB_ENV
-          else
-            echo "x-${{ github.repository }}" 
-            echo "x-${{ steps.semver_parser.outputs.prerelease }}"
-          fi
-          
-          if [[ "x-${{ github.repository }}" != "x-netbirdio/netbird" ]]; then
-            echo "SKIP_DOCKER_PUSH=true" >> $GITHUB_ENV
-          fi
-
+      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+        run: echo "flags=--snapshot" >> $GITHUB_ENV
      - name: Set up Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -186,9 +166,9 @@ jobs:
      - name: check git status
        run: git --no-pager diff --exit-code
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 #v4.1.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 #v4.1.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
      - name: Login to Docker hub
        if: github.event_name != 'pull_request'
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
@@ -221,7 +201,7 @@ jobs:
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
      - name: Run GoReleaser
        id: goreleaser
-        uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
+        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --clean ${{ env.flags }}
@@ -232,8 +212,6 @@ jobs:
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
          NFPM_NETBIRD_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
-          SKIP_PUBLISH: ${{ env.SKIP_PUBLISH }}
-          SKIP_DOCKER_PUSH: ${{ env.SKIP_DOCKER_PUSH }}
      - name: Verify RPM signatures
        run: |
          docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
@@ -347,7 +325,7 @@ jobs:
      release_ui_artifact_url: ${{ steps.upload_release_ui.outputs.artifact-url }}
    steps:
      - name: Checkout
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
          persist-credentials: false
@@ -356,25 +334,11 @@ jobs:
        id: semver_parser
        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2

-      - name: Set snapshot flag
-        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
-        run: |
-          echo "flags=--snapshot" >> $GITHUB_ENV
-
-      - name: Set build vars
-        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-        run: |
-          if [[ "x-${{ steps.semver_parser.outputs.prerelease }}" == "x-" && "x-${{ github.repository }}" == "x-netbirdio/netbird" ]]; then
-            echo "x-${{ github.repository }}" 
-            echo "x-${{ steps.semver_parser.outputs.prerelease }}"
-            echo "SKIP_PUBLISH=false" >> $GITHUB_ENV
-          else
-            echo "x-${{ github.repository }}" 
-            echo "x-${{ steps.semver_parser.outputs.prerelease }}"
-          fi
+      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+        run: echo "flags=--snapshot" >> $GITHUB_ENV

      - name: Set up Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -420,7 +384,7 @@ jobs:
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_arm64.syso

      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
+        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --config .goreleaser_ui.yaml --clean ${{ env.flags }}
@@ -431,7 +395,6 @@ jobs:
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
          NFPM_NETBIRD_UI_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
-          SKIP_PUBLISH: ${{ env.SKIP_PUBLISH }}
      - name: Verify RPM signatures
        run: |
          docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
@@ -464,12 +427,12 @@ jobs:
      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
      - name: Checkout
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
          persist-credentials: false
      - name: Set up Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -488,7 +451,7 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Run GoReleaser
        id: goreleaser
-        uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
+        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --config .goreleaser_ui_darwin.yaml --clean ${{ env.flags }}
@@ -522,7 +485,7 @@ jobs:
      downloadPath: '${{ github.workspace }}\temp'
    steps:
      - name: Checkout
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@@ -534,13 +497,13 @@ jobs:
        run: echo "C:\Program Files\7-Zip" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append

      - name: Download release artifacts
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.1
        with:
          name: release
          path: release

      - name: Download UI release artifacts
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.1
        with:
          name: release-ui
          path: release-ui
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -68,12 +68,12 @@ jobs:
        run: sudo apt-get install -y curl

      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"

@@ -207,7 +207,7 @@ jobs:
      - name: Build management docker image
        working-directory: management
        run: |
-          docker build -t netbirdio/management:latest --build-arg TARGETPLATFORM=. .
+          docker build -t netbirdio/management:latest .

      - name: Build signal binary
        working-directory: signal
@@ -216,7 +216,7 @@ jobs:
      - name: Build signal docker image
        working-directory: signal
        run: |
-          docker build -t netbirdio/signal:latest --build-arg TARGETPLATFORM=. .
+          docker build -t netbirdio/signal:latest .

      - name: Build relay binary
        working-directory: relay
@@ -225,7 +225,7 @@ jobs:
      - name: Build relay docker image
        working-directory: relay
        run: |
-          docker build -t netbirdio/relay:latest --build-arg TARGETPLATFORM=. .
+          docker build -t netbirdio/relay:latest .

      - name: run docker compose up
        working-directory: infrastructure_files/artifacts
@@ -256,7 +256,7 @@ jobs:
        run: sudo apt-get install -y jq

      - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

--- a/.github/workflows/wasm-build-validation.yml
+++ b/.github/workflows/wasm-build-validation.yml
@@ -19,11 +19,11 @@ jobs:
      GOARCH: wasm
    steps:
      - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
      - name: Install dependencies
@@ -44,11 +44,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
      - name: Build Wasm client
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,7 +1,5 @@
 version: 2
-env:
-  - SKIP_PUBLISH={{ if index .Env "SKIP_PUBLISH" }}{{ .Env.SKIP_PUBLISH }}{{ else }}true{{ end }}
-  - SKIP_DOCKER_PUSH={{ if index .Env "SKIP_DOCKER_PUSH" }}{{ .Env.SKIP_DOCKER_PUSH }}{{ else }}false{{ end }}
+
 project_name: netbird
 builds:
  - id: netbird-wasm
@@ -76,8 +74,6 @@ builds:
      - amd64
      - arm64
      - arm
-    goarm:
-      - 7
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
@@ -92,8 +88,6 @@ builds:
      - amd64
      - arm64
      - arm
-    goarm:
-      - 7
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
@@ -108,8 +102,6 @@ builds:
      - amd64
      - arm64
      - arm
-    goarm:
-      - 7
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
@@ -130,8 +122,6 @@ builds:
      - amd64
      - arm64
      - arm
-    goarm:
-      - 7
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
@@ -146,8 +136,6 @@ builds:
      - amd64
      - arm64
      - arm
-    goarm:
-      - 7
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
@@ -162,8 +150,6 @@ builds:
      - amd64
      - arm64
      - arm
-    goarm:
-      - 7
    ldflags:
      - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
    mod_timestamp: "{{ .CommitTimestamp }}"
@@ -184,8 +170,6 @@ builds:
      - amd64
      - arm64
      - arm
-    goarm:
-      - 7
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
@@ -238,192 +222,670 @@ nfpms:
    rpm:
      signature:
        key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'
-dockers_v2:
-   - id: netbird
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
-     ids:
-       - netbird
-     images:
-       - netbirdio/netbird
-       - ghcr.io/netbirdio/netbird
-     tags:
-       - "{{ .Version }}"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
-     dockerfile: client/Dockerfile
-     extra_files:
-       - client/netbird-entrypoint.sh
-     platforms:
-       - linux/amd64
-       - linux/arm64
-       - linux/arm/6
-     annotations:
-       "org.opencontainers.image.created": "{{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
-       "maintainer": "dev@netbird.io"
-   - id: netbird-rootless
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
-     ids:
-       - netbird
-     images:
-       - netbirdio/netbird
-       - ghcr.io/netbirdio/netbird
-     tags:
-       - "v{{ .Version }}-rootless"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
-     dockerfile: client/Dockerfile-rootless
-     extra_files:
-       - client/netbird-entrypoint.sh
-     platforms:
-       - linux/amd64
-       - linux/arm64
-       - linux/arm/6
-     annotations:
-       "org.opencontainers.image.created": "{{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
-       "maintainer": "dev@netbird.io"
-   - id: relay
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
-     ids:
-       - netbird-relay
-     images:
-       - netbirdio/relay
-       - ghcr.io/netbirdio/relay
-     tags:
-       - "{{ .Version }}"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
-     dockerfile: relay/Dockerfile
-     platforms:
-       - linux/amd64
-       - linux/arm64
-       - linux/arm
-     annotations:
-       "org.opencontainers.image.created": "{{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
-       "maintainer": "dev@netbird.io"
-   - id: signal
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
-     ids:
-       - netbird-signal
-     images:
-       - netbirdio/signal
-       - ghcr.io/netbirdio/signal
-     tags:
-       - "{{ .Version }}"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
-     dockerfile: signal/Dockerfile
-     platforms:
-       - linux/amd64
-       - linux/arm64
-       - linux/arm
-     annotations:
-       "org.opencontainers.image.created": "{{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
-       "maintainer": "dev@netbird.io"
-   - id: management
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
-     ids:
-       - netbird-mgmt
-     images:
-       - netbirdio/management
-       - ghcr.io/netbirdio/management
-     tags:
-       - "{{ .Version }}"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
-     dockerfile: management/Dockerfile
-     platforms:
-       - linux/amd64
-       - linux/arm64
-       - linux/arm
-     annotations:
-       "org.opencontainers.image.created": "{{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
-       "maintainer": "dev@netbird.io"
-   - id: upload
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
-     ids:
-       - netbird-upload
-     images:
-       - netbirdio/upload
-       - ghcr.io/netbirdio/upload
-     tags:
-       - "{{ .Version }}"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
-     dockerfile: upload-server/Dockerfile
-     platforms:
-       - linux/amd64
-       - linux/arm64
-       - linux/arm
-     annotations:
-       "org.opencontainers.image.created": "{{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
-       "maintainer": "dev@netbird.io"
-   - id: netbird-server
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
-     ids:
-       - netbird-server
-     images:
-       - netbirdio/netbird-server
-       - ghcr.io/netbirdio/netbird-server
-     tags:
-       - "{{ .Version }}"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
-     dockerfile: combined/Dockerfile
-     platforms:
-       - linux/amd64
-       - linux/arm64
-       - linux/arm
-     annotations:
-       "org.opencontainers.image.created": "{{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
-       "maintainer": "dev@netbird.io"
-   - id: netbird-proxy
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
-     ids:
-       - netbird-proxy
-     images:
-       - netbirdio/reverse-proxy
-       - ghcr.io/netbirdio/reverse-proxy
-     tags:
-       - "{{ .Version }}"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
-     dockerfile: proxy/Dockerfile
-     platforms:
-       - linux/amd64
-       - linux/arm64
-       - linux/arm
-     annotations:
-       "org.opencontainers.image.created": "{{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
-       "maintainer": "dev@netbird.io"
+dockers:
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-amd64
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
+    ids:
+      - netbird
+    goarch: amd64
+    use: buildx
+    dockerfile: client/Dockerfile
+    extra_files:
+      - client/netbird-entrypoint.sh
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
+    ids:
+      - netbird
+    goarch: arm64
+    use: buildx
+    dockerfile: client/Dockerfile
+    extra_files:
+      - client/netbird-entrypoint.sh
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-arm
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
+    ids:
+      - netbird
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: client/Dockerfile
+    extra_files:
+      - client/netbird-entrypoint.sh
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-rootless-amd64
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
+    ids:
+      - netbird
+    goarch: amd64
+    use: buildx
+    dockerfile: client/Dockerfile-rootless
+    extra_files:
+      - client/netbird-entrypoint.sh
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
+    ids:
+      - netbird
+    goarch: arm64
+    use: buildx
+    dockerfile: client/Dockerfile-rootless
+    extra_files:
+      - client/netbird-entrypoint.sh
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-rootless-arm
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
+    ids:
+      - netbird
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: client/Dockerfile-rootless
+    extra_files:
+      - client/netbird-entrypoint.sh
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+
+  - image_templates:
+      - netbirdio/relay:{{ .Version }}-amd64
+      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
+    ids:
+      - netbird-relay
+    goarch: amd64
+    use: buildx
+    dockerfile: relay/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/relay:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
+    ids:
+      - netbird-relay
+    goarch: arm64
+    use: buildx
+    dockerfile: relay/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/relay:{{ .Version }}-arm
+      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
+    ids:
+      - netbird-relay
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: relay/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/signal:{{ .Version }}-amd64
+      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
+    ids:
+      - netbird-signal
+    goarch: amd64
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/signal:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
+    ids:
+      - netbird-signal
+    goarch: arm64
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/signal:{{ .Version }}-arm
+      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
+    ids:
+      - netbird-signal
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-amd64
+      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
+    ids:
+      - netbird-mgmt
+    goarch: amd64
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
+    ids:
+      - netbird-mgmt
+    goarch: arm64
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-arm
+      - ghcr.io/netbirdio/management:{{ .Version }}-arm
+    ids:
+      - netbird-mgmt
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-debug-amd64
+      - ghcr.io/netbirdio/management:{{ .Version }}-debug-amd64
+    ids:
+      - netbird-mgmt
+    goarch: amd64
+    use: buildx
+    dockerfile: management/Dockerfile.debug
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-debug-arm64v8
+      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm64v8
+    ids:
+      - netbird-mgmt
+    goarch: arm64
+    use: buildx
+    dockerfile: management/Dockerfile.debug
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-debug-arm
+      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm
+    ids:
+      - netbird-mgmt
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: management/Dockerfile.debug
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/upload:{{ .Version }}-amd64
+      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
+    ids:
+      - netbird-upload
+    goarch: amd64
+    use: buildx
+    dockerfile: upload-server/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/upload:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
+    ids:
+      - netbird-upload
+    goarch: arm64
+    use: buildx
+    dockerfile: upload-server/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/upload:{{ .Version }}-arm
+      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
+    ids:
+      - netbird-upload
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: upload-server/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird-server:{{ .Version }}-amd64
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
+    ids:
+      - netbird-server
+    goarch: amd64
+    use: buildx
+    dockerfile: combined/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird-server:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
+    ids:
+      - netbird-server
+    goarch: arm64
+    use: buildx
+    dockerfile: combined/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird-server:{{ .Version }}-arm
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
+    ids:
+      - netbird-server
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: combined/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/reverse-proxy:{{ .Version }}-amd64
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
+    ids:
+      - netbird-proxy
+    goarch: amd64
+    use: buildx
+    dockerfile: proxy/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+    ids:
+      - netbird-proxy
+    goarch: arm64
+    use: buildx
+    dockerfile: proxy/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/reverse-proxy:{{ .Version }}-arm
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
+    ids:
+      - netbird-proxy
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: proxy/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+docker_manifests:
+  - name_template: netbirdio/netbird:{{ .Version }}
+    image_templates:
+      - netbirdio/netbird:{{ .Version }}-arm64v8
+      - netbirdio/netbird:{{ .Version }}-arm
+      - netbirdio/netbird:{{ .Version }}-amd64
+
+  - name_template: netbirdio/netbird:latest
+    image_templates:
+      - netbirdio/netbird:{{ .Version }}-arm64v8
+      - netbirdio/netbird:{{ .Version }}-arm
+      - netbirdio/netbird:{{ .Version }}-amd64
+
+  - name_template: netbirdio/netbird:{{ .Version }}-rootless
+    image_templates:
+      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
+      - netbirdio/netbird:{{ .Version }}-rootless-arm
+      - netbirdio/netbird:{{ .Version }}-rootless-amd64
+
+  - name_template: netbirdio/netbird:rootless-latest
+    image_templates:
+      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
+      - netbirdio/netbird:{{ .Version }}-rootless-arm
+      - netbirdio/netbird:{{ .Version }}-rootless-amd64
+
+  - name_template: netbirdio/relay:{{ .Version }}
+    image_templates:
+      - netbirdio/relay:{{ .Version }}-arm64v8
+      - netbirdio/relay:{{ .Version }}-arm
+      - netbirdio/relay:{{ .Version }}-amd64
+
+  - name_template: netbirdio/relay:latest
+    image_templates:
+      - netbirdio/relay:{{ .Version }}-arm64v8
+      - netbirdio/relay:{{ .Version }}-arm
+      - netbirdio/relay:{{ .Version }}-amd64
+
+  - name_template: netbirdio/signal:{{ .Version }}
+    image_templates:
+      - netbirdio/signal:{{ .Version }}-arm64v8
+      - netbirdio/signal:{{ .Version }}-arm
+      - netbirdio/signal:{{ .Version }}-amd64
+
+  - name_template: netbirdio/signal:latest
+    image_templates:
+      - netbirdio/signal:{{ .Version }}-arm64v8
+      - netbirdio/signal:{{ .Version }}-arm
+      - netbirdio/signal:{{ .Version }}-amd64
+
+  - name_template: netbirdio/management:{{ .Version }}
+    image_templates:
+      - netbirdio/management:{{ .Version }}-arm64v8
+      - netbirdio/management:{{ .Version }}-arm
+      - netbirdio/management:{{ .Version }}-amd64
+
+  - name_template: netbirdio/management:latest
+    image_templates:
+      - netbirdio/management:{{ .Version }}-arm64v8
+      - netbirdio/management:{{ .Version }}-arm
+      - netbirdio/management:{{ .Version }}-amd64
+
+  - name_template: netbirdio/management:debug-latest
+    image_templates:
+      - netbirdio/management:{{ .Version }}-debug-arm64v8
+      - netbirdio/management:{{ .Version }}-debug-arm
+      - netbirdio/management:{{ .Version }}-debug-amd64
+  - name_template: netbirdio/upload:{{ .Version }}
+    image_templates:
+      - netbirdio/upload:{{ .Version }}-arm64v8
+      - netbirdio/upload:{{ .Version }}-arm
+      - netbirdio/upload:{{ .Version }}-amd64
+
+  - name_template: netbirdio/upload:latest
+    image_templates:
+      - netbirdio/upload:{{ .Version }}-arm64v8
+      - netbirdio/upload:{{ .Version }}-arm
+      - netbirdio/upload:{{ .Version }}-amd64
+
+  - name_template: netbirdio/netbird-server:{{ .Version }}
+    image_templates:
+      - netbirdio/netbird-server:{{ .Version }}-arm64v8
+      - netbirdio/netbird-server:{{ .Version }}-arm
+      - netbirdio/netbird-server:{{ .Version }}-amd64
+
+  - name_template: netbirdio/netbird-server:latest
+    image_templates:
+      - netbirdio/netbird-server:{{ .Version }}-arm64v8
+      - netbirdio/netbird-server:{{ .Version }}-arm
+      - netbirdio/netbird-server:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}
+    image_templates:
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/netbird:latest
+    image_templates:
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}-rootless
+    image_templates:
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
+
+  - name_template: ghcr.io/netbirdio/netbird:rootless-latest
+    image_templates:
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
+
+  - name_template: ghcr.io/netbirdio/relay:{{ .Version }}
+    image_templates:
+      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
+      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/relay:latest
+    image_templates:
+      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
+      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/signal:{{ .Version }}
+    image_templates:
+      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
+      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/signal:latest
+    image_templates:
+      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
+      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/management:{{ .Version }}
+    image_templates:
+      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/management:{{ .Version }}-arm
+      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/management:latest
+    image_templates:
+      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/management:{{ .Version }}-arm
+      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/management:debug-latest
+    image_templates:
+      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm64v8
+      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm
+      - ghcr.io/netbirdio/management:{{ .Version }}-debug-amd64
+
+  - name_template: ghcr.io/netbirdio/upload:{{ .Version }}
+    image_templates:
+      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
+      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/upload:latest
+    image_templates:
+      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
+      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/netbird-server:{{ .Version }}
+    image_templates:
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/netbird-server:latest
+    image_templates:
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
+
+  - name_template: netbirdio/reverse-proxy:{{ .Version }}
+    image_templates:
+      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+      - netbirdio/reverse-proxy:{{ .Version }}-arm
+      - netbirdio/reverse-proxy:{{ .Version }}-amd64
+
+  - name_template: netbirdio/reverse-proxy:latest
+    image_templates:
+      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+      - netbirdio/reverse-proxy:{{ .Version }}-arm
+      - netbirdio/reverse-proxy:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/reverse-proxy:{{ .Version }}
+    image_templates:
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/reverse-proxy:latest
+    image_templates:
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64

 brews:
  - ids:
      - default
-    skip_upload: "{{ .Env.SKIP_PUBLISH }}"
    repository:
      owner: netbirdio
      name: homebrew-tap
@@ -440,7 +902,6 @@ brews:

 uploads:
  - name: debian
-    skip: "{{ .Env.SKIP_PUBLISH }}"
    ids:
      - netbird_deb
    mode: archive
@@ -449,7 +910,6 @@ uploads:
    method: PUT

  - name: yum
-    skip: "{{ .Env.SKIP_PUBLISH }}"
    ids:
      - netbird_rpm
    mode: archive
@@ -462,13 +922,9 @@ checksum:
    - glob: ./infrastructure_files/getting-started-with-zitadel.sh
    - glob: ./release_files/install.sh
    - glob: ./infrastructure_files/getting-started.sh
-    - glob: ./infrastructure_files/getting-started-enterprise.sh
-    - glob: ./infrastructure_files/migrate-to-enterprise.sh

 release:
  extra_files:
    - glob: ./infrastructure_files/getting-started-with-zitadel.sh
    - glob: ./release_files/install.sh
    - glob: ./infrastructure_files/getting-started.sh
-    - glob: ./infrastructure_files/getting-started-enterprise.sh
-    - glob: ./infrastructure_files/migrate-to-enterprise.sh
--- a/.goreleaser_ui.yaml
+++ b/.goreleaser_ui.yaml
@@ -1,6 +1,5 @@
 version: 2
-env:
-  - SKIP_PUBLISH={{ if index .Env "SKIP_PUBLISH" }}{{ .Env.SKIP_PUBLISH }}{{ else }}true{{ end }}
+
 project_name: netbird-ui
 builds:
  - id: netbird-ui
@@ -102,7 +101,6 @@ nfpms:

 uploads:
  - name: debian
-    skip: "{{ .Env.SKIP_PUBLISH }}"
    ids:
      - netbird_ui_deb
    mode: archive
@@ -111,7 +109,6 @@ uploads:
    method: PUT

  - name: yum
-    skip: "{{ .Env.SKIP_PUBLISH }}"
    ids:
      - netbird_ui_rpm
    mode: archive
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -4,7 +4,7 @@
 #   sudo podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   sudo podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest

-FROM alpine:3.24
+FROM alpine:3.23.3
 # iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache \
    bash \
@@ -21,7 +21,7 @@ ENV \
    NB_ENTRYPOINT_SERVICE_TIMEOUT="30"

 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
-ARG TARGETPLATFORM
-ARG NETBIRD_BINARY=$TARGETPLATFORM/netbird
+
+ARG NETBIRD_BINARY=netbird
 COPY client/netbird-entrypoint.sh /usr/local/bin/netbird-entrypoint.sh
 COPY "${NETBIRD_BINARY}"  /usr/local/bin/netbird
--- a/client/Dockerfile-rootless
+++ b/client/Dockerfile-rootless
@@ -4,7 +4,7 @@
 #   podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest

-FROM alpine:3.24
+FROM alpine:3.22.0

 RUN apk add --no-cache \
      bash \
@@ -27,7 +27,7 @@ ENV \
    NB_ENTRYPOINT_SERVICE_TIMEOUT="30"

 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
-ARG TARGETPLATFORM
-ARG NETBIRD_BINARY=$TARGETPLATFORM/netbird
+
+ARG NETBIRD_BINARY=netbird
 COPY client/netbird-entrypoint.sh /usr/local/bin/netbird-entrypoint.sh
 COPY "${NETBIRD_BINARY}"  /usr/local/bin/netbird
--- a/client/android/profile_manager.go
+++ b/client/android/profile_manager.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"

 	log "github.com/sirupsen/logrus"

@@ -23,7 +24,6 @@ const (

 // Profile represents a profile for gomobile
 type Profile struct {
-	ID       string
 	Name     string
 	IsActive bool
 }
@@ -53,10 +53,10 @@ func (p *ProfileArray) Get(i int) *Profile {
 ├── state.json                                  ← Default profile state
 ├── active_profile.json                         ← Active profile tracker (JSON with Name + Username)
 └── profiles/                                   ← Subdirectory for non-default profiles
-    ├── work.json                              			← Legacy work profile config
-    ├── work.state.json                        			← Legacy work profile state
-    ├── 4c5f5c8198c3989cffb5b5394f5a7ae0.json  			← ID profile config
-    ├── 4c5f5c8198c3989cffb5b5394f5a7ae0.state.json ← ID profile state
+    ├── work.json                              ← Work profile config
+    ├── work.state.json                        ← Work profile state
+    ├── personal.json                          ← Personal profile config
+    └── personal.state.json                    ← Personal profile state
 */

 // ProfileManager manages profiles for Android
@@ -99,7 +99,6 @@ func (pm *ProfileManager) ListProfiles() (*ProfileArray, error) {
 	var profiles []*Profile
 	for _, p := range internalProfiles {
 		profiles = append(profiles, &Profile{
-			ID:       p.ID.String(),
 			Name:     p.Name,
 			IsActive: p.IsActive,
 		})
@@ -109,65 +108,55 @@ func (pm *ProfileManager) ListProfiles() (*ProfileArray, error) {
 }

 // GetActiveProfile returns the currently active profile name
-func (pm *ProfileManager) GetActiveProfile() (*Profile, error) {
+func (pm *ProfileManager) GetActiveProfile() (string, error) {
 	// Use ServiceManager to stay consistent with ListProfiles
 	// ServiceManager uses active_profile.json
 	activeState, err := pm.serviceMgr.GetActiveProfileState()
 	if err != nil {
-		return nil, fmt.Errorf("failed to get active profile: %w", err)
+		return "", fmt.Errorf("failed to get active profile: %w", err)
 	}
-
-	// ActiveProfileState only stores the ID (and username), not the display
-	// name. Resolve the ID to the full profile so callers get the real Name.
-	prof, err := pm.serviceMgr.ResolveProfile(activeState.ID.String(), androidUsername)
-	if err != nil {
-		return nil, fmt.Errorf("failed to resolve active profile %q: %w", activeState.ID, err)
-	}
-	return &Profile{ID: prof.ID.String(), Name: prof.Name, IsActive: true}, nil
+	return activeState.Name, nil
 }

 // SwitchProfile switches to a different profile
-func (pm *ProfileManager) SwitchProfile(id string) error {
+func (pm *ProfileManager) SwitchProfile(profileName string) error {
 	// Use ServiceManager to stay consistent with ListProfiles
 	// ServiceManager uses active_profile.json
 	err := pm.serviceMgr.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		ID:       profilemanager.ID(id),
+		Name:     profileName,
 		Username: androidUsername,
 	})
 	if err != nil {
 		return fmt.Errorf("failed to switch profile: %w", err)
 	}

-	log.Infof("switched to profile: %s", id)
+	log.Infof("switched to profile: %s", profileName)
 	return nil
 }

 // AddProfile creates a new profile
 func (pm *ProfileManager) AddProfile(profileName string) error {
 	// Use ServiceManager (creates profile in profiles/ directory)
-	profile, err := pm.serviceMgr.AddProfile(profileName, androidUsername)
-	if err != nil {
+	if err := pm.serviceMgr.AddProfile(profileName, androidUsername); err != nil {
 		return fmt.Errorf("failed to add profile: %w", err)
 	}

-	log.Infof("created new profile: %s", profile.ID)
+	log.Infof("created new profile: %s", profileName)
 	return nil
 }

 // LogoutProfile logs out from a profile (clears authentication)
-func (pm *ProfileManager) LogoutProfile(id string) error {
-	configPath, err := pm.getProfileConfigPath(id)
+func (pm *ProfileManager) LogoutProfile(profileName string) error {
+	profileName = sanitizeProfileName(profileName)
+
+	configPath, err := pm.getProfileConfigPath(profileName)
 	if err != nil {
 		return err
 	}

-	if !profilemanager.IsValidProfileFilenameStem(profilemanager.ID(id)) {
-		return fmt.Errorf("id '%s' is not valid", id)
-	}
-
 	// Check if profile exists
 	if _, err := os.Stat(configPath); os.IsNotExist(err) {
-		return fmt.Errorf("profile '%s' does not exist", id)
+		return fmt.Errorf("profile '%s' does not exist", profileName)
 	}

 	// Read current config using internal profilemanager
@@ -185,57 +174,53 @@ func (pm *ProfileManager) LogoutProfile(id string) error {
 		return fmt.Errorf("failed to save config: %w", err)
 	}

-	log.Infof("logged out from profile: %s", id)
+	log.Infof("logged out from profile: %s", profileName)
 	return nil
 }

 // RemoveProfile deletes a profile
-func (pm *ProfileManager) RemoveProfile(id string) error {
+func (pm *ProfileManager) RemoveProfile(profileName string) error {
 	// Use ServiceManager (removes profile from profiles/ directory)
-	if err := pm.serviceMgr.RemoveProfile(profilemanager.ID(id), androidUsername); err != nil {
+	if err := pm.serviceMgr.RemoveProfile(profileName, androidUsername); err != nil {
 		return fmt.Errorf("failed to remove profile: %w", err)
 	}

-	log.Infof("removed profile: %s", id)
+	log.Infof("removed profile: %s", profileName)
 	return nil
 }

 // getProfileConfigPath returns the config file path for a profile
 // This is needed for Android-specific path handling (netbird.cfg for default profile)
-func (pm *ProfileManager) getProfileConfigPath(id string) (string, error) {
-	if !profilemanager.IsValidProfileFilenameStem(profilemanager.ID(id)) {
-		return "", fmt.Errorf("id %q is not valid", id)
-	}
-
-	if id == profilemanager.DefaultProfileName {
+func (pm *ProfileManager) getProfileConfigPath(profileName string) (string, error) {
+	if profileName == "" || profileName == profilemanager.DefaultProfileName {
 		// Android uses netbird.cfg for default profile instead of default.json
 		// Default profile is stored in root configDir, not in profiles/
 		return filepath.Join(pm.configDir, defaultConfigFilename), nil
 	}

+	// Non-default profiles are stored in profiles subdirectory
+	// This matches the Java Preferences.java expectation
+	profileName = sanitizeProfileName(profileName)
 	profilesDir := filepath.Join(pm.configDir, profilesSubdir)
-	return filepath.Join(profilesDir, id+".json"), nil
+	return filepath.Join(profilesDir, profileName+".json"), nil
 }

-// GetConfigPath returns the config file path for a given profile id
+// GetConfigPath returns the config file path for a given profile
 // Java should call this instead of constructing paths with Preferences.configFile()
-func (pm *ProfileManager) GetConfigPath(id string) (string, error) {
-	return pm.getProfileConfigPath(id)
+func (pm *ProfileManager) GetConfigPath(profileName string) (string, error) {
+	return pm.getProfileConfigPath(profileName)
 }

 // GetStateFilePath returns the state file path for a given profile
 // Java should call this instead of constructing paths with Preferences.stateFile()
-func (pm *ProfileManager) GetStateFilePath(id string) (string, error) {
-	if id == "" || id == profilemanager.DefaultProfileName {
+func (pm *ProfileManager) GetStateFilePath(profileName string) (string, error) {
+	if profileName == "" || profileName == profilemanager.DefaultProfileName {
 		return filepath.Join(pm.configDir, "state.json"), nil
 	}

-	if !profilemanager.IsValidProfileFilenameStem(profilemanager.ID(id)) {
-		return "", fmt.Errorf("id %q is not valid", id)
-	}
-
+	profileName = sanitizeProfileName(profileName)
 	profilesDir := filepath.Join(pm.configDir, profilesSubdir)
-	return filepath.Join(profilesDir, id+".state.json"), nil
+	return filepath.Join(profilesDir, profileName+".state.json"), nil
 }

 // GetActiveConfigPath returns the config file path for the currently active profile
@@ -245,7 +230,7 @@ func (pm *ProfileManager) GetActiveConfigPath() (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("failed to get active profile: %w", err)
 	}
-	return pm.GetConfigPath(activeProfile.ID)
+	return pm.GetConfigPath(activeProfile)
 }

 // GetActiveStateFilePath returns the state file path for the currently active profile
@@ -255,5 +240,18 @@ func (pm *ProfileManager) GetActiveStateFilePath() (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("failed to get active profile: %w", err)
 	}
-	return pm.GetStateFilePath(activeProfile.ID)
+	return pm.GetStateFilePath(activeProfile)
+}
+
+// sanitizeProfileName removes invalid characters from profile name
+func sanitizeProfileName(name string) string {
+	// Keep only alphanumeric, underscore, and hyphen
+	var result strings.Builder
+	for _, r := range name {
+		if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') ||
+			(r >= '0' && r <= '9') || r == '_' || r == '-' {
+			result.WriteRune(r)
+		}
+	}
+	return result.String()
 }
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -130,7 +130,7 @@ func debugConfigDump(cmd *cobra.Command, _ []string) error {

 	client := proto.NewDaemonServiceClient(conn)
 	resp, err := client.GetConfig(cmd.Context(), &proto.GetConfigRequest{
-		ProfileName: string(activeProf.ID),
+		ProfileName: activeProf.Name,
 		Username:    currUser.Username,
 	})
 	if err != nil {
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -96,19 +96,17 @@ func doDaemonLogin(ctx context.Context, cmd *cobra.Command, providedSetupKey str
 		dnsLabelsReq = dnsLabelsValidated.ToSafeStringList()
 	}

-	handle := activeProf.ID.String()
-
 	loginRequest := proto.LoginRequest{
 		SetupKey:            providedSetupKey,
 		ManagementUrl:       managementURL,
 		IsUnixDesktopClient: isUnixRunningDesktop(),
 		Hostname:            hostName,
 		DnsLabels:           dnsLabelsReq,
-		ProfileName:         &handle,
+		ProfileName:         &activeProf.Name,
 		Username:            &username,
 	}

-	profileState, err := pm.GetProfileState(activeProf.ID)
+	profileState, err := pm.GetProfileState(activeProf.Name)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
@@ -172,13 +170,14 @@ func getActiveProfile(ctx context.Context, pm *profilemanager.ProfileManager, pr
 	return activeProf, nil
 }

-func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManager, handle string, username string) error {
-	resolvedID, err := switchProfile(ctx, handle, username)
+func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManager, profileName string, username string) error {
+	err := switchProfile(context.Background(), profileName, username)
 	if err != nil {
 		return fmt.Errorf("switch profile on daemon: %v", err)
 	}

-	if err := pm.SwitchProfile(resolvedID); err != nil {
+	err = pm.SwitchProfile(profileName)
+	if err != nil {
 		return fmt.Errorf("switch profile: %v", err)
 	}

@@ -206,15 +205,11 @@ func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManage
 	return nil
 }

-// switchProfile asks the daemon to switch to the profile identified by
-// handle (a name, ID, or unique ID prefix). Returns the resolved profile
-// ID so the caller can update the local active-profile state without
-// re-resolving the handle.
-func switchProfile(ctx context.Context, handle string, username string) (profilemanager.ID, error) {
+func switchProfile(ctx context.Context, profileName string, username string) error {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		//nolint
-		return "", fmt.Errorf("failed to connect to daemon error: %v\n"+
+		return fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
 	}
@@ -222,15 +217,15 @@ func switchProfile(ctx context.Context, handle string, username string) (profile

 	client := proto.NewDaemonServiceClient(conn)

-	resp, err := client.SwitchProfile(ctx, &proto.SwitchProfileRequest{
-		ProfileName: &handle,
+	_, err = client.SwitchProfile(ctx, &proto.SwitchProfileRequest{
+		ProfileName: &profileName,
 		Username:    &username,
 	})
 	if err != nil {
-		return "", fmt.Errorf("switch profile failed: %w", err)
+		return fmt.Errorf("switch profile failed: %v", err)
 	}

-	return profilemanager.ID(resp.Id), nil
+	return nil
 }

 func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string, activeProf *profilemanager.Profile) error {
@@ -254,7 +249,7 @@ func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string,
 		return fmt.Errorf("read config file %s: %v", configFilePath, err)
 	}

-	err = foregroundLogin(ctx, cmd, config, setupKey, activeProf.ID)
+	err = foregroundLogin(ctx, cmd, config, setupKey, activeProf.Name)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -282,7 +277,7 @@ func handleSSOLogin(ctx context.Context, cmd *cobra.Command, loginResp *proto.Lo
 	return nil
 }

-func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey string, profileID profilemanager.ID) error {
+func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey, profileName string) error {
 	authClient, err := auth.NewAuth(ctx, config.PrivateKey, config.ManagementURL, config)
 	if err != nil {
 		return fmt.Errorf("failed to create auth client: %v", err)
@@ -296,7 +291,7 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman

 	jwtToken := ""
 	if setupKey == "" && needsLogin {
-		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config, profileID)
+		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config, profileName)
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
@@ -311,10 +306,10 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 	return nil
 }

-func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, profileID profilemanager.ID) (*auth.TokenInfo, error) {
+func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, profileName string) (*auth.TokenInfo, error) {
 	hint := ""
 	pm := profilemanager.NewProfileManager()
-	profileState, err := pm.GetProfileState(profileID)
+	profileState, err := pm.GetProfileState(profileName)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
--- a/client/cmd/login_test.go
+++ b/client/cmd/login_test.go
@@ -27,7 +27,7 @@ func TestLogin(t *testing.T) {
 	profilemanager.ActiveProfileStatePath = tempDir + "/active_profile.json"
 	sm := profilemanager.ServiceManager{}
 	err = sm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		ID:       "default",
+		Name:     "default",
 		Username: currUser.Username,
 	})
 	if err != nil {
--- a/client/cmd/profile.go
+++ b/client/cmd/profile.go
@@ -2,16 +2,11 @@ package cmd

 import (
 	"context"
-	"errors"
 	"fmt"
 	"os/user"
-	"strings"
-	"text/tabwriter"
 	"time"

 	"github.com/spf13/cobra"
-	"google.golang.org/grpc/codes"
-	gstatus "google.golang.org/grpc/status"

 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
@@ -19,8 +14,6 @@ import (
 	"github.com/netbirdio/netbird/util"
 )

-var profileListShowID bool
-
 var profileCmd = &cobra.Command{
 	Use:   "profile",
 	Short: "Manage NetBird client profiles",
@@ -38,40 +31,27 @@ var profileListCmd = &cobra.Command{
 var profileAddCmd = &cobra.Command{
 	Use:   "add <profile_name>",
 	Short: "Add a new profile",
-	Long:  `Add a new profile. Profile name is free-form, a unique ID is generated for the on-disk config file.`,
+	Long:  `Add a new profile to the NetBird client. The profile name must be unique.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  addProfileFunc,
 }

-var profileRenameCmd = &cobra.Command{
-	Use:   "rename <profile> <new_profile_name>",
-	Short: "Renames an existing profile",
-	Long:  `Renames an existing profile (by a name, ID, or unique ID prefix). Profile name is free-form.`,
-	Args:  cobra.ExactArgs(2),
-	RunE:  renameProfileFunc,
-}
-
 var profileRemoveCmd = &cobra.Command{
-	Use:     "remove <profile>",
-	Short:   "Remove a profile",
-	Long:    `Remove a profile by name, ID, or unique ID prefix.`,
-	Aliases: []string{"rm"},
-	Args:    cobra.ExactArgs(1),
-	RunE:    removeProfileFunc,
+	Use:   "remove <profile_name>",
+	Short: "Remove a profile",
+	Long:  `Remove a profile from the NetBird client. The profile must not be inactive.`,
+	Args:  cobra.ExactArgs(1),
+	RunE:  removeProfileFunc,
 }

 var profileSelectCmd = &cobra.Command{
-	Use:   "select <profile>",
+	Use:   "select <profile_name>",
 	Short: "Select a profile",
-	Long:  `Make the specified profile active. Accepts a name, ID, or unique ID prefix.`,
+	Long:  `Make the specified profile active. This will switch the client to use the selected profile's configuration.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  selectProfileFunc,
 }

-func init() {
-	profileListCmd.Flags().BoolVar(&profileListShowID, "show-id", false, "show the profile ID column")
-}
-
 func setupCmd(cmd *cobra.Command) error {
 	SetFlagsFromEnvVars(rootCmd)
 	SetFlagsFromEnvVars(cmd)
@@ -85,7 +65,6 @@ func setupCmd(cmd *cobra.Command) error {

 	return nil
 }
-
 func listProfilesFunc(cmd *cobra.Command, _ []string) error {
 	if err := setupCmd(cmd); err != nil {
 		return err
@@ -104,33 +83,25 @@ func listProfilesFunc(cmd *cobra.Command, _ []string) error {

 	daemonClient := proto.NewDaemonServiceClient(conn)

-	resp, err := daemonClient.ListProfiles(cmd.Context(), &proto.ListProfilesRequest{
+	profiles, err := daemonClient.ListProfiles(cmd.Context(), &proto.ListProfilesRequest{
 		Username: currUser.Username,
 	})
 	if err != nil {
 		return err
 	}

-	tw := tabwriter.NewWriter(cmd.OutOrStdout(), 0, 0, 2, ' ', 0)
-	if profileListShowID {
-		fmt.Fprintln(tw, "ID\tNAME\tACTIVE")
-	} else {
-		fmt.Fprintln(tw, "NAME\tACTIVE")
-	}
-	for _, profile := range resp.Profiles {
-		marker := ""
+	// list profiles, add a tick if the profile is active
+	cmd.Println("Found", len(profiles.Profiles), "profiles:")
+	for _, profile := range profiles.Profiles {
+		// use a cross to indicate the passive profiles
+		activeMarker := "✗"
 		if profile.IsActive {
-			marker = "✓"
-		}
-		name := profilemanager.StripCtrlChars(profile.Name)
-		id := profilemanager.ID(profile.Id)
-		if profileListShowID {
-			fmt.Fprintf(tw, "%s\t%s\t%s\n", id.ShortID(), name, marker)
-		} else {
-			fmt.Fprintf(tw, "%s\t%s\n", name, marker)
+			activeMarker = "✓"
 		}
+		cmd.Println(activeMarker, profile.Name)
 	}
-	return tw.Flush()
+
+	return nil
 }

 func addProfileFunc(cmd *cobra.Command, args []string) error {
@@ -138,90 +109,33 @@ func addProfileFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}

-	currUser, err := user.Current()
-	if err != nil {
-		return fmt.Errorf("get current user: %w", err)
-	}
-
 	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
 	if err != nil {
 		return fmt.Errorf("connect to service CLI interface: %w", err)
 	}
 	defer conn.Close()

+	currUser, err := user.Current()
+	if err != nil {
+		return fmt.Errorf("get current user: %w", err)
+	}
+
 	daemonClient := proto.NewDaemonServiceClient(conn)
+
 	profileName := args[0]

-	id, err := addProfileOnDaemon(cmd.Context(), daemonClient, profileName, currUser.Username)
-	if err != nil {
-		return err
-	}
-
-	dupCount, _ := countProfilesWithName(cmd.Context(), daemonClient, currUser.Username, profileName)
-	if dupCount > 1 {
-		cmd.Printf("Warning: %d other profile(s) already use the name %q.\n", dupCount-1, profileName)
-		cmd.Println("Use `netbird profile list --show-id` to disambiguate later.")
-	}
-
-	cmd.Printf("Profile added: %s  %s\n", id.ShortID(), profilemanager.StripCtrlChars(profileName))
-	return nil
-
-}
-
-func renameProfileFunc(cmd *cobra.Command, args []string) error {
-	if err := setupCmd(cmd); err != nil {
-		return err
-	}
-
-	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
-	if err != nil {
-		return fmt.Errorf("connect to service CLI interface: %w", err)
-	}
-	defer conn.Close()
-
-	currUser, err := user.Current()
-	if err != nil {
-		return fmt.Errorf("get current user: %w", err)
-	}
-
-	daemonClient := proto.NewDaemonServiceClient(conn)
-	handle := args[0]
-	newProfilename := args[1]
-
-	resp, err := daemonClient.RenameProfile(cmd.Context(), &proto.RenameProfileRequest{
-		Handle:         handle,
-		Username:       currUser.Username,
-		NewProfileName: newProfilename,
+	_, err = daemonClient.AddProfile(cmd.Context(), &proto.AddProfileRequest{
+		ProfileName: profileName,
+		Username:    currUser.Username,
 	})
 	if err != nil {
-		return wrapAmbiguityError(err, handle)
+		return err
 	}

-	dupCount, _ := countProfilesWithName(cmd.Context(), daemonClient, currUser.Username, newProfilename)
-	if dupCount > 1 {
-		cmd.Printf("Warning: %d other profile(s) already use the name %q.\n", dupCount-1, newProfilename)
-		cmd.Println("Use `netbird profile list --show-id` to disambiguate later.")
-	}
-
-	cmd.Printf("Profile renamed from %s to %s\n", profilemanager.StripCtrlChars(resp.OldProfileName), profilemanager.StripCtrlChars(newProfilename))
-
+	cmd.Println("Profile added successfully:", profileName)
 	return nil
 }

-func countProfilesWithName(ctx context.Context, c proto.DaemonServiceClient, username, name string) (int, error) {
-	resp, err := c.ListProfiles(ctx, &proto.ListProfilesRequest{Username: username})
-	if err != nil {
-		return 0, err
-	}
-	n := 0
-	for _, p := range resp.Profiles {
-		if p.Name == name {
-			n++
-		}
-	}
-	return n, nil
-}
-
 func removeProfileFunc(cmd *cobra.Command, args []string) error {
 	if err := setupCmd(cmd); err != nil {
 		return err
@@ -239,17 +153,18 @@ func removeProfileFunc(cmd *cobra.Command, args []string) error {
 	}

 	daemonClient := proto.NewDaemonServiceClient(conn)
-	handle := args[0]

-	resp, err := daemonClient.RemoveProfile(cmd.Context(), &proto.RemoveProfileRequest{
-		ProfileName: handle,
+	profileName := args[0]
+
+	_, err = daemonClient.RemoveProfile(cmd.Context(), &proto.RemoveProfileRequest{
+		ProfileName: profileName,
 		Username:    currUser.Username,
 	})
 	if err != nil {
-		return wrapAmbiguityError(err, handle)
+		return err
 	}

-	cmd.Printf("Profile removed: %s\n", resp.Id)
+	cmd.Println("Profile removed successfully:", profileName)
 	return nil
 }

@@ -259,7 +174,7 @@ func selectProfileFunc(cmd *cobra.Command, args []string) error {
 	}

 	profileManager := profilemanager.NewProfileManager()
-	handle := args[0]
+	profileName := args[0]

 	currUser, err := user.Current()
 	if err != nil {
@@ -276,15 +191,32 @@ func selectProfileFunc(cmd *cobra.Command, args []string) error {

 	daemonClient := proto.NewDaemonServiceClient(conn)

-	switchResp, err := daemonClient.SwitchProfile(ctx, &proto.SwitchProfileRequest{
-		ProfileName: &handle,
-		Username:    &currUser.Username,
+	profiles, err := daemonClient.ListProfiles(ctx, &proto.ListProfilesRequest{
+		Username: currUser.Username,
 	})
 	if err != nil {
-		return wrapAmbiguityError(err, handle)
+		return fmt.Errorf("list profiles: %w", err)
 	}

-	if err := profileManager.SwitchProfile(profilemanager.ID(switchResp.Id)); err != nil {
+	var profileExists bool
+
+	for _, profile := range profiles.Profiles {
+		if profile.Name == profileName {
+			profileExists = true
+			break
+		}
+	}
+
+	if !profileExists {
+		return fmt.Errorf("profile %s does not exist", profileName)
+	}
+
+	if err := switchProfile(cmd.Context(), profileName, currUser.Username); err != nil {
+		return err
+	}
+
+	err = profileManager.SwitchProfile(profileName)
+	if err != nil {
 		return err
 	}

@@ -299,46 +231,6 @@ func selectProfileFunc(cmd *cobra.Command, args []string) error {
 		}
 	}

-	id := profilemanager.ID(switchResp.Id)
-	cmd.Printf("Profile switched to: %s\n", id.ShortID())
+	cmd.Println("Profile switched successfully to:", profileName)
 	return nil
 }
-
-// wrapAmbiguityError turns the daemon's gRPC InvalidArgument errors
-// (which carry the resolver's message verbatim) into CLI-friendly text
-// that points the user at --show-id.
-func wrapAmbiguityError(err error, handle string) error {
-	if err == nil {
-		return nil
-	}
-	st, ok := gstatus.FromError(err)
-	if !ok {
-		return err
-	}
-	switch st.Code() {
-	case codes.InvalidArgument:
-		msg := st.Message()
-		if strings.Contains(msg, "ambiguous") {
-			return errors.New(msg + "\nRun `netbird profile list --show-id` to see IDs, then select by ID prefix:\n  netbird profile select|remove <id-prefix>")
-		}
-	case codes.NotFound:
-		return fmt.Errorf("profile %q not found", handle)
-	}
-	return err
-}
-
-// addProfileOnDaemon issues the AddProfile RPC on an existing daemon client
-// and returns the new profile's ID. It is the single entry point for profile
-// creation, shared by `netbird profile add` and the `netbird up --profile
-// <name>` auto-create path.
-func addProfileOnDaemon(ctx context.Context, client proto.DaemonServiceClient, profileName, username string) (profilemanager.ID, error) {
-	resp, err := client.AddProfile(ctx, &proto.AddProfileRequest{
-		ProfileName: profileName,
-		Username:    username,
-	})
-	if err != nil {
-		return "", fmt.Errorf("add profile failed: %w", err)
-	}
-
-	return profilemanager.ID(resp.Id), nil
-}
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -190,7 +190,6 @@ func init() {
 	// profile commands
 	profileCmd.AddCommand(profileListCmd)
 	profileCmd.AddCommand(profileAddCmd)
-	profileCmd.AddCommand(profileRenameCmd)
 	profileCmd.AddCommand(profileRemoveCmd)
 	profileCmd.AddCommand(profileSelectCmd)

--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -11,6 +11,7 @@ import (
 	"google.golang.org/grpc/status"

 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/proto"
 	nbstatus "github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/util"
@@ -110,10 +111,11 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		return nil
 	}

-	// Resolve the active profile's display name via the daemon, which runs
-	// as root and can read the per-user profile files. The local profile
-	// manager only knows the active profile ID, not its display name.
-	profName := getActiveProfileName(ctx)
+	pm := profilemanager.NewProfileManager()
+	var profName string
+	if activeProf, err := pm.GetActiveProfile(); err == nil {
+		profName = activeProf.Name
+	}

 	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp.GetFullStatus(), nbstatus.ConvertOptions{
 		Anonymize:            anonymizeFlag,
@@ -165,25 +167,6 @@ func getStatus(ctx context.Context, fullPeerStatus bool, shouldRunProbes bool) (
 	return resp, nil
 }

-// getActiveProfileName asks the daemon for the active profile's display
-// name. The daemon runs as root and can read the per-user profile files to
-// resolve the ID to its human-readable name. Returns an empty string on any
-// error so status output degrades gracefully.
-func getActiveProfileName(ctx context.Context) string {
-	conn, err := DialClientGRPCServer(ctx, daemonAddr)
-	if err != nil {
-		return ""
-	}
-	defer conn.Close()
-
-	resp, err := proto.NewDaemonServiceClient(conn).GetActiveProfile(ctx, &proto.GetActiveProfileRequest{})
-	if err != nil {
-		return ""
-	}
-
-	return resp.GetProfileName()
-}
-
 func parseFilters() error {
 	switch strings.ToLower(statusFilter) {
 	case "", "idle", "connecting", "connected":
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -128,9 +128,16 @@ func upFunc(cmd *cobra.Command, args []string) error {
 	var profileSwitched bool
 	// switch profile if provided
 	if profileName != "" {
-		if err := switchOrCreateProfile(cmd.Context(), pm, profileName, username.Username); err != nil {
+		err = switchProfile(cmd.Context(), profileName, username.Username)
+		if err != nil {
 			return fmt.Errorf("switch profile: %v", err)
 		}
+
+		err = pm.SwitchProfile(profileName)
+		if err != nil {
+			return fmt.Errorf("switch profile: %v", err)
+		}
+
 		profileSwitched = true
 	}

@@ -145,52 +152,6 @@ func upFunc(cmd *cobra.Command, args []string) error {
 	return runInDaemonMode(ctx, cmd, pm, activeProf, profileSwitched)
 }

-// switchOrCreateProfile switches the active profile to the one identified by
-// handle, creating it first when it does not exist yet. This restores the
-// pre-0.73 behaviour where `netbird up --profile <name>` auto-creates a
-// missing profile instead of failing.
-func switchOrCreateProfile(ctx context.Context, pm *profilemanager.ProfileManager, handle, username string) error {
-	resolvedID, err := switchProfile(ctx, handle, username)
-	if err != nil {
-		st, ok := gstatus.FromError(err)
-		if !ok || st.Code() != codes.NotFound {
-			return err
-		}
-		// Don't fail immediately on a create error: a concurrent run may
-		// have created the profile between the NotFound above and this
-		// call, in which case the retried switch still succeeds. Only
-		// surface the create error if the switch also fails.
-		_, createErr := createProfile(ctx, handle, username)
-		if resolvedID, err = switchProfile(ctx, handle, username); err != nil {
-			if createErr != nil {
-				return fmt.Errorf("create profile: %w", createErr)
-			}
-			return err
-		}
-	}
-
-	if err := pm.SwitchProfile(resolvedID); err != nil {
-		return err
-	}
-	return nil
-}
-
-// createProfile dials the daemon and creates a new profile with the given
-// display name, returning its generated ID. Use addProfileOnDaemon directly
-// when a daemon client is already available to reuse the connection.
-func createProfile(ctx context.Context, profileName, username string) (profilemanager.ID, error) {
-	conn, err := DialClientGRPCServer(ctx, daemonAddr)
-	if err != nil {
-		//nolint
-		return "", fmt.Errorf("failed to connect to daemon error: %v\n"+
-			"If the daemon is not running please run: "+
-			"\nnetbird service install \nnetbird service start\n", err)
-	}
-	defer conn.Close()
-
-	return addProfileOnDaemon(ctx, proto.NewDaemonServiceClient(conn), profileName, username)
-}
-
 func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *profilemanager.Profile) error {
 	// override the default profile filepath if provided
 	if configPath != "" {
@@ -229,7 +190,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *pr

 	_, _ = profilemanager.UpdateOldManagementURL(ctx, config, configFilePath)

-	err = foregroundLogin(ctx, cmd, config, providedSetupKey, activeProf.ID)
+	err = foregroundLogin(ctx, cmd, config, providedSetupKey, activeProf.Name)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -300,10 +261,10 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager
 	}

 	// set the new config
-	req := setupSetConfigReq(customDNSAddressConverted, cmd, activeProf.ID.String(), username.Username)
+	req := setupSetConfigReq(customDNSAddressConverted, cmd, activeProf.Name, username.Username)
 	if _, err := client.SetConfig(ctx, req); err != nil {
 		if st, ok := gstatus.FromError(err); ok && st.Code() == codes.Unavailable {
-			log.Warnf("setConfig method is not available in the daemon: %s", st.Message())
+			log.Warnf("setConfig method is not available in the daemon")
 		} else {
 			return fmt.Errorf("call service setConfig method: %v", err)
 		}
@@ -328,11 +289,10 @@ func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServ
 		return fmt.Errorf("setup login request: %v", err)
 	}

-	profileID := activeProf.ID.String()
-	loginRequest.ProfileName = &profileID
+	loginRequest.ProfileName = &activeProf.Name
 	loginRequest.Username = &username

-	profileState, err := pm.GetProfileState(activeProf.ID)
+	profileState, err := pm.GetProfileState(activeProf.Name)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
@@ -369,7 +329,7 @@ func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServ
 	}

 	if _, err := client.Up(ctx, &proto.UpRequest{
-		ProfileName: &profileID,
+		ProfileName: &activeProf.Name,
 		Username:    &username,
 	}); err != nil {
 		return fmt.Errorf("call service up method: %v", err)
--- a/client/cmd/up_daemon_test.go
+++ b/client/cmd/up_daemon_test.go
@@ -29,14 +29,14 @@ func TestUpDaemon(t *testing.T) {
 	}

 	sm := profilemanager.ServiceManager{}
-	created, err := sm.AddProfile("test1", currUser.Username)
+	err = sm.AddProfile("test1", currUser.Username)
 	if err != nil {
 		t.Fatalf("failed to add profile: %v", err)
 		return
 	}

 	err = sm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		ID:       created.ID,
+		Name:     "test1",
 		Username: currUser.Username,
 	})
 	if err != nil {
--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -279,11 +279,9 @@ func (c *Client) Start(startCtx context.Context) error {

 	select {
 	case <-startCtx.Done():
-		// ConnectClient.Stop now cancels its own run context and waits for the
-		// run loop to tear the engine down, so this cancel() is no longer
-		// required to break the deadlock and could be removed. It is kept as a
-		// defensive belt-and-suspenders: cancelling the parent context first
-		// guarantees the run loop is unblocked even if Stop's contract regresses.
+		// Cancel the client context before stopping: Engine.Start blocks on the
+		// signal stream while holding the engine mutex and only unblocks on
+		// cancellation. Stopping first would deadlock on that mutex.
 		cancel()
 		if stopErr := client.Stop(); stopErr != nil {
 			return fmt.Errorf("stop error after context done. Stop error: %w. Context done: %w", stopErr, startCtx.Err())
--- a/client/iface/bind/ice_bind.go
+++ b/client/iface/bind/ice_bind.go
@@ -41,7 +41,6 @@ type ICEBind struct {
 	*wgConn.StdNetBind

 	transportNet transport.Net
-	filterFn     udpmux.FilterFn
 	address      wgaddr.Address
 	mtu          uint16

@@ -61,12 +60,11 @@ type ICEBind struct {
 	ipv6Conn *net.UDPConn
 }

-func NewICEBind(transportNet transport.Net, filterFn udpmux.FilterFn, address wgaddr.Address, mtu uint16) *ICEBind {
+func NewICEBind(transportNet transport.Net, address wgaddr.Address, mtu uint16) *ICEBind {
 	b, _ := wgConn.NewStdNetBind().(*wgConn.StdNetBind)
 	ib := &ICEBind{
 		StdNetBind:       b,
 		transportNet:     transportNet,
-		filterFn:         filterFn,
 		address:          address,
 		mtu:              mtu,
 		endpoints:        make(map[netip.Addr]net.Conn),
@@ -265,7 +263,6 @@ func (s *ICEBind) createOrUpdateMux() {
 		udpmux.UniversalUDPMuxParams{
 			UDPConn:   muxConn,
 			Net:       s.transportNet,
-			FilterFn:  s.filterFn,
 			WGAddress: s.address,
 			MTU:       s.mtu,
 		},
--- a/client/iface/bind/ice_bind_test.go
+++ b/client/iface/bind/ice_bind_test.go
@@ -289,7 +289,7 @@ func setupICEBind(t *testing.T) *ICEBind {
 		IP:      netip.MustParseAddr("100.64.0.1"),
 		Network: netip.MustParsePrefix("100.64.0.0/10"),
 	}
-	return NewICEBind(transportNet, nil, address, 1280)
+	return NewICEBind(transportNet, address, 1280)
 }

 func createDualStackConns(t *testing.T) (*net.UDPConn, *net.UDPConn) {
--- a/client/iface/device/device_kernel_unix.go
+++ b/client/iface/device/device_kernel_unix.go
@@ -32,8 +32,6 @@ type TunKernelDevice struct {
 	link       *wgLink
 	udpMuxConn net.PacketConn
 	udpMux     *udpmux.UniversalUDPMuxDefault
-
-	filterFn udpmux.FilterFn
 }

 func NewKernelDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, transportNet transport.Net) *TunKernelDevice {
@@ -104,7 +102,6 @@ func (t *TunKernelDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 	bindParams := udpmux.UniversalUDPMuxParams{
 		UDPConn:   nbnet.WrapPacketConn(rawSock),
 		Net:       t.transportNet,
-		FilterFn:  t.filterFn,
 		WGAddress: t.address,
 		MTU:       t.mtu,
 	}
--- a/client/iface/iface.go
+++ b/client/iface/iface.go
@@ -63,7 +63,6 @@ type WGIFaceOpts struct {
 	MTU          uint16
 	MobileArgs   *device.MobileIFaceArguments
 	TransportNet transport.Net
-	FilterFn     udpmux.FilterFn
 	DisableDNS   bool
 }

--- a/client/iface/iface_new.go
+++ b/client/iface/iface_new.go
@@ -11,7 +11,7 @@ import (

 // NewWGIFace Creates a new WireGuard interface instance
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.Address, opts.MTU)

 	var tun WGTunDevice
 	if netstack.IsEnabled() {
--- a/client/iface/iface_new_android.go
+++ b/client/iface/iface_new_android.go
@@ -9,7 +9,7 @@ import (

 // NewWGIFace Creates a new WireGuard interface instance
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.Address, opts.MTU)

 	if netstack.IsEnabled() {
 		wgIFace := &WGIface{
--- a/client/iface/iface_new_ios.go
+++ b/client/iface/iface_new_ios.go
@@ -10,7 +10,7 @@ import (

 // NewWGIFace Creates a new WireGuard interface instance
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.Address, opts.MTU)

 	wgIFace := &WGIface{
 		tun:            device.NewTunDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunFd),
--- a/client/iface/iface_new_linux.go
+++ b/client/iface/iface_new_linux.go
@@ -14,7 +14,7 @@ import (
 // NewWGIFace Creates a new WireGuard interface instance
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	if netstack.IsEnabled() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.Address, opts.MTU)
 		return &WGIface{
 			tun:            device.NewNetstackDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr()),
 			userspaceBind:  true,
@@ -30,7 +30,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	}

 	if device.ModuleTunIsLoaded() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.Address, opts.MTU)
 		return &WGIface{
 			tun:            device.NewTunDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind),
 			userspaceBind:  true,
--- a/client/iface/udpmux/universal.go
+++ b/client/iface/udpmux/universal.go
@@ -8,8 +8,6 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"net/netip"
-	"sync"
 	"time"

 	log "github.com/sirupsen/logrus"
@@ -22,10 +20,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )

-// FilterFn is a function that filters out candidates based on the address.
-// If it returns true, the address is to be filtered. It also returns the prefix of matching route.
-type FilterFn func(address netip.Addr) (bool, netip.Prefix, error)
-
 // UniversalUDPMuxDefault handles STUN and TURN servers packets by wrapping the original UDPConn
 // It then passes packets to the UDPMux that does the actual connection muxing.
 type UniversalUDPMuxDefault struct {
@@ -43,7 +37,6 @@ type UniversalUDPMuxParams struct {
 	UDPConn               net.PacketConn
 	XORMappedAddrCacheTTL time.Duration
 	Net                   transport.Net
-	FilterFn              FilterFn
 	WGAddress             wgaddr.Address
 	MTU                   uint16
 }
@@ -68,7 +61,6 @@ func NewUniversalUDPMuxDefault(params UniversalUDPMuxParams) *UniversalUDPMuxDef
 		PacketConn: params.UDPConn,
 		mux:        m,
 		logger:     params.Logger,
-		filterFn:   params.FilterFn,
 		address:    params.WGAddress,
 	}

@@ -115,15 +107,12 @@ func (m *UniversalUDPMuxDefault) ReadFromConn(ctx context.Context) {
 	}
 }

-// UDPConn is a wrapper around UDPMux conn that overrides ReadFrom and handles STUN/TURN packets
+// UDPConn is a wrapper around UDPMux conn that overrides WriteTo to drop packets destined for the overlay subnet.
 type UDPConn struct {
 	net.PacketConn
-	mux      *UniversalUDPMuxDefault
-	logger   logging.LeveledLogger
-	filterFn FilterFn
-	// TODO: reset cache on route changes
-	addrCache sync.Map
-	address   wgaddr.Address
+	mux     *UniversalUDPMuxDefault
+	logger  logging.LeveledLogger
+	address wgaddr.Address
 }

 // GetPacketConn returns the underlying PacketConn
@@ -132,65 +121,16 @@ func (u *UDPConn) GetPacketConn() net.PacketConn {
 }

 func (u *UDPConn) WriteTo(b []byte, addr net.Addr) (int, error) {
-	if u.filterFn == nil {
+	udpAddr, ok := addr.(*net.UDPAddr)
+	if !ok {
 		return u.PacketConn.WriteTo(b, addr)
 	}
-
-	if isRouted, found := u.addrCache.Load(addr.String()); found {
-		return u.handleCachedAddress(isRouted.(bool), b, addr)
-	}
-
-	return u.handleUncachedAddress(b, addr)
-}
-
-func (u *UDPConn) handleCachedAddress(isRouted bool, b []byte, addr net.Addr) (int, error) {
-	if isRouted {
-		return 0, fmt.Errorf("address %s is part of a routed network, refusing to write", addr)
-	}
-	return u.PacketConn.WriteTo(b, addr)
-}
-
-func (u *UDPConn) handleUncachedAddress(b []byte, addr net.Addr) (int, error) {
-	if err := u.performFilterCheck(addr); err != nil {
-		return 0, err
-	}
-	return u.PacketConn.WriteTo(b, addr)
-}
-
-func (u *UDPConn) performFilterCheck(addr net.Addr) error {
-	host, err := getHostFromAddr(addr)
-	if err != nil {
-		log.Errorf("Failed to get host from address %s: %v", addr, err)
-		return nil
-	}
-
-	a, err := netip.ParseAddr(host)
-	if err != nil {
-		log.Errorf("Failed to parse address %s: %v", addr, err)
-		return nil
-	}
-
-	if u.address.Network.Contains(a) {
+	dst := udpAddr.AddrPort().Addr().Unmap()
+	if (u.address.Network.IsValid() && u.address.Network.Contains(dst)) || (u.address.IPv6Net.IsValid() && u.address.IPv6Net.Contains(dst)) {
 		log.Warnf("address %s is part of the NetBird network %s, refusing to write", addr, u.address)
-		return fmt.Errorf("address %s is part of the NetBird network %s, refusing to write", addr, u.address)
+		return 0, fmt.Errorf("address %s is part of the NetBird network %s, refusing to write", addr, u.address)
 	}
-
-	if isRouted, prefix, err := u.filterFn(a); err != nil {
-		log.Errorf("Failed to check if address %s is routed: %v", addr, err)
-	} else {
-		u.addrCache.Store(addr.String(), isRouted)
-		if isRouted {
-			// Extra log, as the error only shows up with ICE logging enabled
-			log.Infof("address %s is part of routed network %s, refusing to write", addr, prefix)
-			return fmt.Errorf("address %s is part of routed network %s, refusing to write", addr, prefix)
-		}
-	}
-	return nil
-}
-
-func getHostFromAddr(addr net.Addr) (string, error) {
-	host, _, err := net.SplitHostPort(addr.String())
-	return host, err
+	return u.PacketConn.WriteTo(b, addr)
 }

 // GetSharedConn returns the shared udp conn
@@ -225,6 +165,13 @@ func (m *UniversalUDPMuxDefault) HandleSTUNMessage(msg *stun.Message, addr net.A
 		return nil
 	}

+	src := udpAddr.AddrPort().Addr().Unmap()
+	wg := m.params.WGAddress
+	if (wg.Network.IsValid() && wg.Network.Contains(src)) || (wg.IPv6Net.IsValid() && wg.IPv6Net.Contains(src)) {
+		log.Debugf("dropping STUN message from overlay source %s", udpAddr)
+		return nil
+	}
+
 	if m.isXORMappedResponse(msg, udpAddr.String()) {
 		err := m.handleXORMappedResponse(udpAddr, msg)
 		if err != nil {
--- a/client/iface/wgproxy/proxy_linux_test.go
+++ b/client/iface/wgproxy/proxy_linux_test.go
@@ -66,7 +66,7 @@ func seedProxyForProxyCloseByRemoteConn() ([]proxyInstance, error) {
 	if err != nil {
 		return nil, err
 	}
-	iceBind := bind.NewICEBind(nil, nil, wgAddress, 1280)
+	iceBind := bind.NewICEBind(nil, wgAddress, 1280)
 	endpointAddress := &net.UDPAddr{
 		IP:   net.IPv4(10, 0, 0, 1),
 		Port: 1234,
--- a/client/iface/wgproxy/proxy_seed_test.go
+++ b/client/iface/wgproxy/proxy_seed_test.go
@@ -22,7 +22,7 @@ func seedProxyForProxyCloseByRemoteConn() ([]proxyInstance, error) {
 	if err != nil {
 		return nil, err
 	}
-	iceBind := bind.NewICEBind(nil, nil, wgAddress, 1280)
+	iceBind := bind.NewICEBind(nil, wgAddress, 1280)
 	endpointAddress := &net.UDPAddr{
 		IP:   net.IPv4(10, 0, 0, 1),
 		Port: 1234,
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -11,7 +11,6 @@ import (
 	"runtime/debug"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"

 	"github.com/cenkalti/backoff/v4"
@@ -55,10 +54,6 @@ var androidRunOverride func(c *ConnectClient, runningChan chan struct{}, logPath

 type ConnectClient struct {
 	ctx            context.Context
-	runCancel      context.CancelFunc
-	runExited      chan struct{}
-	runOnce        sync.Once
-	runStarted     atomic.Bool
 	config         *profilemanager.Config
 	statusRecorder *peer.Status

@@ -75,14 +70,8 @@ func NewConnectClient(
 	config *profilemanager.Config,
 	statusRecorder *peer.Status,
 ) *ConnectClient {
-	// Derive the run context here so Stop owns the cancel that unblocks the run
-	// loop. runCancel is set once at construction, so Stop can call it without
-	// racing the run loop's startup. Callers therefore need not cancel before Stop.
-	runCtx, runCancel := context.WithCancel(ctx)
 	return &ConnectClient{
-		ctx:            runCtx,
-		runCancel:      runCancel,
-		runExited:      make(chan struct{}),
+		ctx:            ctx,
 		config:         config,
 		statusRecorder: statusRecorder,
 		engineMutex:    sync.Mutex{},
@@ -146,11 +135,6 @@ func (c *ConnectClient) RunOniOS(
 }

 func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan struct{}, logPath string) error {
-	// Mark the loop as started and signal exit on return so Stop can wait for
-	// the loop to finish (and skip the wait if the loop never ran).
-	c.runStarted.Store(true)
-	defer c.runOnce.Do(func() { close(c.runExited) })
-
 	defer func() {
 		if r := recover(); r != nil {
 			rec := c.statusRecorder
@@ -306,7 +290,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			log.Debug(err)
 			if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.PermissionDenied) {
 				state.Set(StatusNeedsLogin)
-				c.runCancel()
+				_ = c.Stop()
 				return backoff.Permanent(wrapErr(err)) // unrecoverable error
 			}
 			return wrapErr(err)
@@ -426,10 +410,14 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		c.engine = nil
 		c.engineMutex.Unlock()

-		log.Infof("ensuring wg interface is removed, Netbird engine context cancelled")
+		// todo: consider to remove this condition. Is not thread safe.
+		// We should always call Stop(), but we need to verify that it is idempotent
+		if engine.wgInterface != nil {
+			log.Infof("ensuring %s is removed, Netbird engine context cancelled", engine.wgInterface.Name())

-		if err := engine.Stop(); err != nil {
-			log.Errorf("Failed to stop engine: %v", err)
+			if err := engine.Stop(); err != nil {
+				log.Errorf("Failed to stop engine: %v", err)
+			}
 		}
 		c.statusRecorder.ClientTeardown()

@@ -445,12 +433,12 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 	}

 	c.statusRecorder.ClientStart()
-	err = backoff.Retry(operation, backoff.WithContext(backOff, c.ctx))
+	err = backoff.Retry(operation, backOff)
 	if err != nil {
 		log.Debugf("exiting client retry loop due to unrecoverable error: %s", err)
 		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.PermissionDenied) {
 			state.Set(StatusNeedsLogin)
-			c.runCancel()
+			_ = c.Stop()
 		}
 		return err
 	}
@@ -528,9 +516,11 @@ func (c *ConnectClient) Status() StatusType {
 }

 func (c *ConnectClient) Stop() error {
-	c.runCancel()
-	if c.runStarted.Load() {
-		<-c.runExited
+	engine := c.Engine()
+	if engine != nil {
+		if err := engine.Stop(); err != nil {
+			return fmt.Errorf("stop engine: %w", err)
+		}
 	}
 	return nil
 }
--- a/client/internal/debug/debug_test.go
+++ b/client/internal/debug/debug_test.go
@@ -843,7 +843,6 @@ func TestAddConfig_AllFieldsCovered(t *testing.T) {
 		"PreSharedKey":      "sensitive: WireGuard pre-shared key",
 		"SSHKey":            "sensitive: SSH private key",
 		"ClientCertKeyPair": "non-config: parsed cert pair, not serialized",
-		"Name":              "non-config: profile name is not needed for debug purposes",
 		"policy":            "non-config: in-memory MDM policy snapshot, surfaced via Config.Policy() / GetConfigResponse.MDMManagedFields",
 	}

--- a/client/internal/dns/mgmt/mgmt.go
+++ b/client/internal/dns/mgmt/mgmt.go
@@ -51,20 +51,13 @@ type cachedRecord struct {
 }

 // Resolver caches critical NetBird infrastructure domains.
-// records, refreshing, failedResolves, mgmtDomain and serverDomains are all
-// guarded by mutex.
+// records, refreshing, mgmtDomain and serverDomains are all guarded by mutex.
 type Resolver struct {
 	records       map[dns.Question]*cachedRecord
 	mgmtDomain    *domain.Domain
 	serverDomains *dnsconfig.ServerDomains
 	mutex         sync.RWMutex

-	// failedResolves records the last failed initial resolve per domain so a
-	// domain that never resolves isn't retried on every server-domains update
-	// until refreshBackoff elapses. Entries are cleared on success and pruned
-	// to the current server-domains set.
-	failedResolves map[domain.Domain]time.Time
-
 	chain            ChainResolver
 	chainMaxPriority int
 	refreshGroup     singleflight.Group
@@ -83,10 +76,9 @@ type Resolver struct {
 // NewResolver creates a new management domains cache resolver.
 func NewResolver() *Resolver {
 	return &Resolver{
-		records:        make(map[dns.Question]*cachedRecord),
-		refreshing:     make(map[dns.Question]*atomic.Bool),
-		failedResolves: make(map[domain.Domain]time.Time),
-		cacheTTL:       resolveCacheTTL(),
+		records:    make(map[dns.Question]*cachedRecord),
+		refreshing: make(map[dns.Question]*atomic.Bool),
+		cacheTTL:   resolveCacheTTL(),
 	}
 }

@@ -181,9 +173,7 @@ func (m *Resolver) continueToNext(w dns.ResponseWriter, r *dns.Msg) {

 // AddDomain resolves a domain and stores its A/AAAA records in the cache.
 // A family that resolves NODATA (nil err, zero records) evicts any stale
-// entry for that qtype. When one family hard-errors while the other succeeds,
-// the resolved family is still cached but AddDomain returns an error so the
-// caller retries the incomplete resolve rather than treating it as complete.
+// entry for that qtype.
 func (m *Resolver) AddDomain(ctx context.Context, d domain.Domain) error {
 	dnsName := strings.ToLower(dns.Fqdn(d.PunycodeString()))

@@ -213,10 +203,6 @@ func (m *Resolver) AddDomain(ctx context.Context, d domain.Domain) error {
 	log.Debugf("added/updated domain=%s with %d A records and %d AAAA records",
 		d.SafeString(), len(aRecords), len(aaaaRecords))

-	if errA != nil || errAAAA != nil {
-		return fmt.Errorf("resolve %s: incomplete, a family failed: %w", d.SafeString(), errors.Join(errA, errAAAA))
-	}
-
 	return nil
 }

@@ -476,7 +462,6 @@ func (m *Resolver) RemoveDomain(d domain.Domain) error {
 	delete(m.records, qAAAA)
 	delete(m.refreshing, qA)
 	delete(m.refreshing, qAAAA)
-	delete(m.failedResolves, d)

 	log.Debugf("removed domain=%s from cache", d.SafeString())
 	return nil
@@ -520,7 +505,6 @@ func (m *Resolver) UpdateFromServerDomains(ctx context.Context, serverDomains dn
 		allDomains := m.extractDomainsFromServerDomains(updatedServerDomains)
 		currentDomains := m.GetCachedDomains()
 		removedDomains = m.removeStaleDomains(currentDomains, allDomains)
-		m.pruneFailedResolves(allDomains)
 	}

 	m.addNewDomains(ctx, newDomains)
@@ -593,85 +577,13 @@ func (m *Resolver) isManagementDomain(domain domain.Domain) bool {
 	return m.mgmtDomain != nil && domain == *m.mgmtDomain
 }

-// addNewDomains resolves and caches domains that are not yet in the cache,
-// running the lookups concurrently. Domains already cached are skipped and left
-// to the stale-while-revalidate refresh path, so a sync never re-resolves them
-// synchronously: once NetBird owns the OS resolver the resolve runs through the
-// handler chain and would otherwise dial the managed upstreams under the engine
-// sync lock on every update.
+// addNewDomains resolves and caches all domains from the update
 func (m *Resolver) addNewDomains(ctx context.Context, newDomains domain.List) {
-	var wg sync.WaitGroup
-	seen := make(map[domain.Domain]struct{}, len(newDomains))
 	for _, newDomain := range newDomains {
-		if _, dup := seen[newDomain]; dup {
-			continue
-		}
-		seen[newDomain] = struct{}{}
-
-		if !m.needsResolve(newDomain) {
-			continue
-		}
-
-		wg.Add(1)
-		go func(d domain.Domain) {
-			defer wg.Done()
-			if err := m.AddDomain(ctx, d); err != nil {
-				m.markResolveFailed(d)
-				log.Warnf("failed to add/update domain=%s: %v", d.SafeString(), err)
-				return
-			}
-			m.clearResolveFailed(d)
-			log.Debugf("added/updated management cache domain=%s", d.SafeString())
-		}(newDomain)
-	}
-	wg.Wait()
-}
-
-// needsResolve reports whether d should be resolved now. A recent failed or
-// incomplete resolve gates retries on the backoff even when one family is
-// already cached, so a transiently-failed family is retried instead of being
-// treated as fully resolved. Otherwise a domain with any cached record is left
-// to the stale-while-revalidate refresh path.
-func (m *Resolver) needsResolve(d domain.Domain) bool {
-	dnsName := strings.ToLower(dns.Fqdn(d.PunycodeString()))
-
-	m.mutex.RLock()
-	defer m.mutex.RUnlock()
-
-	if failedAt, ok := m.failedResolves[d]; ok {
-		return time.Since(failedAt) >= refreshBackoff
-	}
-
-	for _, qtype := range []uint16{dns.TypeA, dns.TypeAAAA} {
-		q := dns.Question{Name: dnsName, Qtype: qtype, Qclass: dns.ClassINET}
-		if _, ok := m.records[q]; ok {
-			return false
-		}
-	}
-	return true
-}
-
-func (m *Resolver) markResolveFailed(d domain.Domain) {
-	m.mutex.Lock()
-	m.failedResolves[d] = time.Now()
-	m.mutex.Unlock()
-}
-
-func (m *Resolver) clearResolveFailed(d domain.Domain) {
-	m.mutex.Lock()
-	delete(m.failedResolves, d)
-	m.mutex.Unlock()
-}
-
-// pruneFailedResolves drops failure markers for domains no longer present in
-// the server-domains set, keeping the map bounded to the current set (a
-// failed-only domain has no cached record, so RemoveDomain never sees it).
-func (m *Resolver) pruneFailedResolves(domains domain.List) {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-	for d := range m.failedResolves {
-		if !slices.Contains(domains, d) {
-			delete(m.failedResolves, d)
+		if err := m.AddDomain(ctx, newDomain); err != nil {
+			log.Warnf("failed to add/update domain=%s: %v", newDomain.SafeString(), err)
+		} else {
+			log.Debugf("added/updated management cache domain=%s", newDomain.SafeString())
 		}
 	}
 }
--- a/client/internal/dns/mgmt/mgmt_refresh_test.go
+++ b/client/internal/dns/mgmt/mgmt_refresh_test.go
@@ -21,7 +21,6 @@ type fakeChain struct {
 	mu       sync.Mutex
 	calls    map[string]int
 	answers  map[string][]dns.RR
-	qErr     map[string]error
 	err      error
 	hasRoot  bool
 	onLookup func()
@@ -31,7 +30,6 @@ func newFakeChain() *fakeChain {
 	return &fakeChain{
 		calls:   map[string]int{},
 		answers: map[string][]dns.RR{},
-		qErr:    map[string]error{},
 		hasRoot: true,
 	}
 }
@@ -49,9 +47,6 @@ func (f *fakeChain) ResolveInternal(ctx context.Context, msg *dns.Msg, maxPriori
 	f.calls[key]++
 	answers := f.answers[key]
 	err := f.err
-	if err == nil {
-		err = f.qErr[key]
-	}
 	onLookup := f.onLookup
 	f.mu.Unlock()

@@ -80,12 +75,6 @@ func (f *fakeChain) setAnswer(name string, qtype uint16, ip string) {
 	}
 }

-func (f *fakeChain) setErr(name string, qtype uint16, err error) {
-	f.mu.Lock()
-	defer f.mu.Unlock()
-	f.qErr[name+"|"+dns.TypeToString[qtype]] = err
-}
-
 func (f *fakeChain) callCount(name string, qtype uint16) int {
 	f.mu.Lock()
 	defer f.mu.Unlock()
--- a/client/internal/dns/mgmt/mgmt_resolve_test.go
+++ b/client/internal/dns/mgmt/mgmt_resolve_test.go
@@ -1,183 +0,0 @@
-package mgmt
-
-import (
-	"context"
-	"errors"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/miekg/dns"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
-	"github.com/netbirdio/netbird/shared/management/domain"
-)
-
-// A domain already in the cache must not be re-resolved on a subsequent server
-// domains update; it is left to the stale-while-revalidate refresh path.
-func TestResolver_UpdateFromServerDomains_SkipsCached(t *testing.T) {
-	r := NewResolver()
-	chain := newFakeChain()
-	chain.setAnswer("signal.example.com.", dns.TypeA, "10.0.0.2")
-	r.SetChainResolver(chain, 50)
-
-	sd := dnsconfig.ServerDomains{Signal: domain.Domain("signal.example.com")}
-
-	_, err := r.UpdateFromServerDomains(context.Background(), sd)
-	require.NoError(t, err)
-	require.Equal(t, 1, chain.callCount("signal.example.com.", dns.TypeA),
-		"first update must resolve the domain")
-
-	_, err = r.UpdateFromServerDomains(context.Background(), sd)
-	require.NoError(t, err)
-	assert.Equal(t, 1, chain.callCount("signal.example.com.", dns.TypeA),
-		"cached domain must not be re-resolved on a subsequent update")
-}
-
-// New domains in a single update must resolve concurrently rather than serially.
-func TestResolver_AddNewDomains_ResolvesConcurrently(t *testing.T) {
-	r := NewResolver()
-	chain := newFakeChain()
-
-	var inflight, maxInflight atomic.Int32
-	chain.onLookup = func() {
-		n := inflight.Add(1)
-		for {
-			old := maxInflight.Load()
-			if n <= old || maxInflight.CompareAndSwap(old, n) {
-				break
-			}
-		}
-		time.Sleep(50 * time.Millisecond)
-		inflight.Add(-1)
-	}
-
-	relays := []domain.Domain{"a.example.com", "b.example.com", "c.example.com", "d.example.com"}
-	for _, d := range relays {
-		chain.setAnswer(dns.Fqdn(string(d)), dns.TypeA, "10.0.0.2")
-	}
-	r.SetChainResolver(chain, 50)
-
-	start := time.Now()
-	_, err := r.UpdateFromServerDomains(context.Background(), dnsconfig.ServerDomains{Relay: relays})
-	require.NoError(t, err)
-	elapsed := time.Since(start)
-
-	assert.GreaterOrEqual(t, int(maxInflight.Load()), 2, "domains must resolve concurrently")
-	// Serial resolution of 4 domains would take at least 4*50ms; concurrent is far less.
-	assert.Less(t, elapsed, 300*time.Millisecond, "resolution should not be serial")
-}
-
-// A domain that fails to resolve must not be retried on every update; the
-// failure backoff suppresses re-resolution until it expires.
-func TestResolver_UpdateFromServerDomains_BacksOffFailures(t *testing.T) {
-	r := NewResolver()
-	chain := newFakeChain()
-	chain.err = errors.New("resolve boom")
-	r.SetChainResolver(chain, 50)
-
-	sd := dnsconfig.ServerDomains{Signal: domain.Domain("signal.example.com")}
-
-	_, err := r.UpdateFromServerDomains(context.Background(), sd)
-	require.NoError(t, err)
-	require.Equal(t, 1, chain.callCount("signal.example.com.", dns.TypeA),
-		"first update must attempt the resolve")
-
-	_, err = r.UpdateFromServerDomains(context.Background(), sd)
-	require.NoError(t, err)
-	assert.Equal(t, 1, chain.callCount("signal.example.com.", dns.TypeA),
-		"failed resolve must back off and not retry on the next update")
-}
-
-// A domain listed under more than one server-domain type (e.g. STUN and TURN on
-// the same host) must be resolved once per update, not once per occurrence.
-func TestResolver_AddNewDomains_DedupesDuplicateDomains(t *testing.T) {
-	r := NewResolver()
-	chain := newFakeChain()
-	chain.setAnswer("dup.example.com.", dns.TypeA, "10.0.0.9")
-	r.SetChainResolver(chain, 50)
-
-	sd := dnsconfig.ServerDomains{
-		Stuns: []domain.Domain{"dup.example.com"},
-		Turns: []domain.Domain{"dup.example.com"},
-	}
-
-	_, err := r.UpdateFromServerDomains(context.Background(), sd)
-	require.NoError(t, err)
-	assert.Equal(t, 1, chain.callCount("dup.example.com.", dns.TypeA),
-		"a domain appearing under multiple server-domain types must resolve once")
-}
-
-// A failure marker must be dropped once its domain leaves the server-domains set
-// so the map stays bounded to the current set.
-func TestResolver_UpdateFromServerDomains_PrunesFailedResolves(t *testing.T) {
-	r := NewResolver()
-	chain := newFakeChain()
-	chain.err = errors.New("resolve boom")
-	r.SetChainResolver(chain, 50)
-
-	_, err := r.UpdateFromServerDomains(context.Background(), dnsconfig.ServerDomains{Signal: domain.Domain("gone.example.com")})
-	require.NoError(t, err)
-	r.mutex.RLock()
-	_, marked := r.failedResolves[domain.Domain("gone.example.com")]
-	r.mutex.RUnlock()
-	require.True(t, marked, "failed resolve must be recorded")
-
-	_, err = r.UpdateFromServerDomains(context.Background(), dnsconfig.ServerDomains{Signal: domain.Domain("other.example.com")})
-	require.NoError(t, err)
-	r.mutex.RLock()
-	_, stillMarked := r.failedResolves[domain.Domain("gone.example.com")]
-	r.mutex.RUnlock()
-	assert.False(t, stillMarked, "failure marker for a domain no longer in the set must be pruned")
-}
-
-// When one family hard-errors while the other resolves, the domain is cached
-// for the working family but recorded as incomplete so the failed family is
-// retried under backoff instead of being treated as fully resolved forever.
-func TestResolver_AddNewDomains_RetriesPartialFamilyFailure(t *testing.T) {
-	d := domain.Domain("relay.example.com")
-	r := NewResolver()
-	chain := newFakeChain()
-	chain.setAnswer("relay.example.com.", dns.TypeA, "10.0.0.2")
-	chain.setErr("relay.example.com.", dns.TypeAAAA, errors.New("servfail"))
-	r.SetChainResolver(chain, 50)
-
-	_, err := r.UpdateFromServerDomains(context.Background(), dnsconfig.ServerDomains{Relay: []domain.Domain{d}})
-	require.NoError(t, err)
-
-	r.mutex.RLock()
-	_, aCached := r.records[dns.Question{Name: "relay.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}]
-	_, marked := r.failedResolves[d]
-	r.mutex.RUnlock()
-	require.True(t, aCached, "the working family must still be cached")
-	require.True(t, marked, "a partial failure must be recorded so the failed family is retried")
-
-	assert.False(t, r.needsResolve(d), "within the backoff window the domain is not retried")
-
-	r.mutex.Lock()
-	r.failedResolves[d] = time.Now().Add(-2 * refreshBackoff)
-	r.mutex.Unlock()
-	assert.True(t, r.needsResolve(d), "after the backoff elapses the domain is retried to pick up the missing family")
-}
-
-// A family that returns NODATA (legitimately absent, e.g. an IPv4-only host) is
-// not a failure: the domain must not be marked for retry, otherwise it would be
-// re-resolved on every sync.
-func TestResolver_AddNewDomains_NodataIsNotFailure(t *testing.T) {
-	d := domain.Domain("v4only.example.com")
-	r := NewResolver()
-	chain := newFakeChain()
-	chain.setAnswer("v4only.example.com.", dns.TypeA, "10.0.0.2")
-	r.SetChainResolver(chain, 50)
-
-	_, err := r.UpdateFromServerDomains(context.Background(), dnsconfig.ServerDomains{Relay: []domain.Domain{d}})
-	require.NoError(t, err)
-
-	r.mutex.RLock()
-	_, marked := r.failedResolves[d]
-	r.mutex.RUnlock()
-	assert.False(t, marked, "a NODATA family must not be recorded as a failure")
-	assert.False(t, r.needsResolve(d), "an IPv4-only host must not be re-resolved on later syncs")
-}
--- a/client/internal/dns/resutil/resolve.go
+++ b/client/internal/dns/resutil/resolve.go
@@ -207,35 +207,3 @@ func FormatAnswers(answers []dns.RR) string {
 	}
 	return "[" + strings.Join(parts, ", ") + "]"
 }
-
-// StripOPT removes any OPT pseudo-RRs from the message's Extra section. Per
-// RFC 6891 a responder must not include an OPT RR toward a client that did not
-// advertise EDNS0.
-func StripOPT(msg *dns.Msg) {
-	if len(msg.Extra) == 0 {
-		return
-	}
-	out := msg.Extra[:0]
-	for _, rr := range msg.Extra {
-		if _, ok := rr.(*dns.OPT); ok {
-			continue
-		}
-		out = append(out, rr)
-	}
-	msg.Extra = out
-}
-
-// ExtractEDE returns the first Extended DNS Error (RFC 8914) option carried in
-// the message, if present.
-func ExtractEDE(msg *dns.Msg) (*dns.EDNS0_EDE, bool) {
-	opt := msg.IsEdns0()
-	if opt == nil {
-		return nil, false
-	}
-	for _, o := range opt.Option {
-		if ede, ok := o.(*dns.EDNS0_EDE); ok {
-			return ede, true
-		}
-	}
-	return nil, false
-}
--- a/client/internal/dns/resutil/resolve_test.go
+++ b/client/internal/dns/resutil/resolve_test.go
@@ -120,42 +120,3 @@ func TestLookupIP_DNSErrorNotIsNotFound(t *testing.T) {

 	assert.Equal(t, dns.RcodeServerFailure, result.Rcode, "upstream failure should map to SERVFAIL")
 }
-
-func TestStripOPT(t *testing.T) {
-	rm := &dns.Msg{
-		Extra: []dns.RR{
-			&dns.OPT{Hdr: dns.RR_Header{Name: ".", Rrtype: dns.TypeOPT}},
-			&dns.A{Hdr: dns.RR_Header{Name: "x.", Rrtype: dns.TypeA}, A: net.IPv4(1, 2, 3, 4)},
-		},
-	}
-	StripOPT(rm)
-	assert.Len(t, rm.Extra, 1, "OPT should be removed, A kept")
-	_, isOPT := rm.Extra[0].(*dns.OPT)
-	assert.False(t, isOPT, "remaining record must not be OPT")
-}
-
-func TestExtractEDE(t *testing.T) {
-	t.Run("no edns", func(t *testing.T) {
-		_, ok := ExtractEDE(&dns.Msg{})
-		assert.False(t, ok, "message without OPT has no EDE")
-	})
-
-	t.Run("edns without ede", func(t *testing.T) {
-		rm := &dns.Msg{}
-		rm.SetEdns0(4096, false)
-		_, ok := ExtractEDE(rm)
-		assert.False(t, ok, "OPT without EDE option returns false")
-	})
-
-	t.Run("with ede", func(t *testing.T) {
-		rm := &dns.Msg{}
-		opt := &dns.OPT{Hdr: dns.RR_Header{Name: ".", Rrtype: dns.TypeOPT}}
-		opt.Option = append(opt.Option, &dns.EDNS0_EDE{InfoCode: 49152, ExtraText: "upstream timeout"})
-		rm.Extra = append(rm.Extra, opt)
-
-		ede, ok := ExtractEDE(rm)
-		assert.True(t, ok, "EDE option should be found")
-		assert.Equal(t, uint16(49152), ede.InfoCode)
-		assert.Equal(t, "upstream timeout", ede.ExtraText)
-	})
-}
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"net/netip"
 	"net/url"
-	"os"
 	"slices"
 	"strings"
 	"sync"
@@ -39,15 +38,11 @@ const (
 	// defaultWarningDelayBase is the starting grace window before a
 	// "Nameserver group unreachable" event fires for a group that's
 	// never been healthy and only has overlay upstreams with no
-	// Connected peer. Per-server and overridable via envWarningDelay;
-	// see warningDelay.
-	defaultWarningDelayBase = 60 * time.Second
+	// Connected peer. Per-server and overridable; see warningDelayFor.
+	defaultWarningDelayBase = 30 * time.Second
 	// warningDelayBonusCap caps the route-count bonus added to the
-	// base grace window. See warningDelay.
+	// base grace window. See warningDelayFor.
 	warningDelayBonusCap = 30 * time.Second
-	// envWarningDelay overrides defaultWarningDelayBase with a Go duration
-	// string (e.g. "90s", "2m"). Invalid or non-positive values are ignored.
-	envWarningDelay = "NB_DNS_HEALTH_WARNING_DELAY"
 )

 // errNoUsableNameservers signals that a merged-domain group has no usable
@@ -140,7 +135,7 @@ type DefaultServer struct {
 	disableSys         bool
 	mux                sync.Mutex
 	service            service
-	dnsMuxHandlers     []handlerWrapper
+	dnsMuxMap          registeredHandlerMap
 	localResolver      *local.Resolver
 	wgInterface        WGIface
 	hostManager        hostManager
@@ -204,6 +199,8 @@ type handlerWrapper struct {
 	priority int
 }

+type registeredHandlerMap map[types.HandlerID]handlerWrapper
+
 // DefaultServerConfig holds configuration parameters for NewDefaultServer
 type DefaultServerConfig struct {
 	WgInterface    WGIface
@@ -292,6 +289,7 @@ func newDefaultServer(
 		service:           dnsService,
 		handlerChain:      handlerChain,
 		extraDomains:      make(map[domain.Domain]int),
+		dnsMuxMap:         make(registeredHandlerMap),
 		localResolver:     local.NewResolver(),
 		wgInterface:       wgInterface,
 		statusRecorder:    statusRecorder,
@@ -300,7 +298,7 @@ func newDefaultServer(
 		hostManager:       &noopHostConfigurator{},
 		mgmtCacheResolver: mgmtCacheResolver,
 		currentConfigHash: ^uint64(0), // Initialize to max uint64 to ensure first config is always applied
-		warningDelayBase:  warningDelayBaseFromEnv(),
+		warningDelayBase:  defaultWarningDelayBase,
 		healthRefresh:     make(chan struct{}, 1),
 	}
 	// Wire the local resolver against the peer status recorder so it can
@@ -330,7 +328,7 @@ func (s *DefaultServer) SetRouteSources(selected, active func() route.HAMap) {
 	type routeSettable interface {
 		setSelectedRoutes(func() route.HAMap)
 	}
-	for _, entry := range s.dnsMuxHandlers {
+	for _, entry := range s.dnsMuxMap {
 		if h, ok := entry.handler.(routeSettable); ok {
 			h.setSelectedRoutes(selected)
 		}
@@ -980,23 +978,19 @@ func (s *DefaultServer) usableNameServers(nameServers []nbdns.NameServer) []neti

 func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
 	// this will introduce a short period of time when the server is not able to handle DNS requests
-	for _, existing := range s.dnsMuxHandlers {
+	for _, existing := range s.dnsMuxMap {
 		s.deregisterHandler([]string{existing.domain}, existing.priority)
-		// The local resolver is a persistent singleton shared by every custom
-		// zone and reused across config updates. Its chain registrations are
-		// per-config and must be deregistered, but Stop() cancels its lookup
-		// context (breaking external CNAME-target resolution) and clears its
-		// records, so it must not be torn down here.
-		if existing.handler != s.localResolver {
-			existing.handler.Stop()
-		}
+		existing.handler.Stop()
 	}

+	muxUpdateMap := make(registeredHandlerMap)
+
 	for _, update := range muxUpdates {
 		s.registerHandler([]string{update.domain}, update.handler, update.priority)
+		muxUpdateMap[update.handler.ID()] = update
 	}

-	s.dnsMuxHandlers = muxUpdates
+	s.dnsMuxMap = muxUpdateMap
 }

 // updateNSGroupStates records the new group set and pokes the refresher.
@@ -1160,26 +1154,6 @@ func (s *DefaultServer) projectUnhealthy(p *nsGroupProj, servers []netip.AddrPor
 	return false
 }

-// warningDelayBaseFromEnv returns the base grace window, honoring
-// envWarningDelay when it holds a valid positive Go duration. Invalid or
-// non-positive values fall back to defaultWarningDelayBase.
-func warningDelayBaseFromEnv() time.Duration {
-	val := os.Getenv(envWarningDelay)
-	if val == "" {
-		return defaultWarningDelayBase
-	}
-	d, err := time.ParseDuration(val)
-	if err != nil {
-		log.Warnf("invalid %s value %q, using default %v: %v", envWarningDelay, val, defaultWarningDelayBase, err)
-		return defaultWarningDelayBase
-	}
-	if d <= 0 {
-		log.Warnf("%s must be positive, got %v, using default %v", envWarningDelay, d, defaultWarningDelayBase)
-		return defaultWarningDelayBase
-	}
-	return d
-}
-
 // warningDelay returns the grace window for the given selected-route
 // count. Scales gently: +1s per 100 routes, capped by
 // warningDelayBonusCap. Parallel handshakes mean handshake time grows
@@ -1230,7 +1204,7 @@ func (s *DefaultServer) groupHasImmediateUpstream(servers []netip.AddrPort, snap
 // in more than one handler.
 func (s *DefaultServer) collectUpstreamHealth() map[netip.AddrPort]UpstreamHealth {
 	merged := make(map[netip.AddrPort]UpstreamHealth)
-	for _, entry := range s.dnsMuxHandlers {
+	for _, entry := range s.dnsMuxMap {
 		reporter, ok := entry.handler.(upstreamHealthReporter)
 		if !ok {
 			continue
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -104,6 +104,19 @@ func init() {
 	formatter.SetTextFormatter(log.StandardLogger())
 }

+func generateDummyHandler(d string, servers []nbdns.NameServer) *upstreamResolverBase {
+	var srvs []netip.AddrPort
+	for _, srv := range servers {
+		srvs = append(srvs, srv.AddrPort())
+	}
+	u := &upstreamResolverBase{
+		domain: domain.Domain(d),
+		cancel: func() {},
+	}
+	u.addRace(srvs)
+	return u
+}
+
 func TestUpdateDNSServer(t *testing.T) {

 	nameServers := []nbdns.NameServer{
@@ -119,20 +132,22 @@ func TestUpdateDNSServer(t *testing.T) {
 		},
 	}

+	dummyHandler := local.NewResolver()
+
 	testCases := []struct {
 		name                string
-		initUpstreamMap     []handlerWrapper
+		initUpstreamMap     registeredHandlerMap
 		initLocalZones      []nbdns.CustomZone
 		initSerial          uint64
 		inputSerial         uint64
 		inputUpdate         nbdns.Config
 		shouldFail          bool
-		expectedUpstreamMap []handlerWrapper
+		expectedUpstreamMap registeredHandlerMap
 		expectedLocalQs     []dns.Question
 	}{
 		{
 			name:            "Initial Config Should Succeed",
-			initUpstreamMap: nil,
+			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -154,17 +169,20 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: []handlerWrapper{
-				{
+			expectedUpstreamMap: registeredHandlerMap{
+				generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{
 					domain:   "netbird.io",
+					handler:  dummyHandler,
 					priority: PriorityUpstream,
 				},
-				{
+				dummyHandler.ID(): handlerWrapper{
 					domain:   "netbird.cloud",
+					handler:  dummyHandler,
 					priority: PriorityLocal,
 				},
-				{
+				generateDummyHandler(".", nameServers).ID(): handlerWrapper{
 					domain:   nbdns.RootZone,
+					handler:  dummyHandler,
 					priority: PriorityDefault,
 				},
 			},
@@ -173,10 +191,10 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:           "New Config Should Succeed",
 			initLocalZones: []nbdns.CustomZone{{Domain: "netbird.cloud", Records: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: 1, Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}}}},
-			initUpstreamMap: []handlerWrapper{
-				{
+			initUpstreamMap: registeredHandlerMap{
+				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
 					domain:   "netbird.cloud",
-					handler:  &mockHandler{},
+					handler:  dummyHandler,
 					priority: PriorityUpstream,
 				},
 			},
@@ -197,13 +215,15 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: []handlerWrapper{
-				{
+			expectedUpstreamMap: registeredHandlerMap{
+				generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{
 					domain:   "netbird.io",
+					handler:  dummyHandler,
 					priority: PriorityUpstream,
 				},
-				{
+				"local-resolver": handlerWrapper{
 					domain:   "netbird.cloud",
+					handler:  dummyHandler,
 					priority: PriorityLocal,
 				},
 			},
@@ -212,7 +232,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:            "Smaller Config Serial Should Be Skipped",
 			initLocalZones:  []nbdns.CustomZone{},
-			initUpstreamMap: nil,
+			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      2,
 			inputSerial:     1,
 			shouldFail:      true,
@@ -220,7 +240,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:            "Empty NS Group Domain Or Not Primary Element Should Fail",
 			initLocalZones:  []nbdns.CustomZone{},
-			initUpstreamMap: nil,
+			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -242,7 +262,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:            "Invalid NS Group Nameservers list Should Fail",
 			initLocalZones:  []nbdns.CustomZone{},
-			initUpstreamMap: nil,
+			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -264,7 +284,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:            "Invalid Custom Zone Records list Should Skip",
 			initLocalZones:  []nbdns.CustomZone{},
-			initUpstreamMap: nil,
+			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -281,41 +301,42 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: []handlerWrapper{{
+			expectedUpstreamMap: registeredHandlerMap{generateDummyHandler(".", nameServers).ID(): handlerWrapper{
 				domain:   ".",
+				handler:  dummyHandler,
 				priority: PriorityDefault,
 			}},
 		},
 		{
 			name:           "Empty Config Should Succeed and Clean Maps",
 			initLocalZones: []nbdns.CustomZone{{Domain: "netbird.cloud", Records: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}}}},
-			initUpstreamMap: []handlerWrapper{
-				{
+			initUpstreamMap: registeredHandlerMap{
+				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
 					domain:   zoneRecords[0].Name,
-					handler:  &mockHandler{},
+					handler:  dummyHandler,
 					priority: PriorityUpstream,
 				},
 			},
 			initSerial:          0,
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: true},
-			expectedUpstreamMap: nil,
+			expectedUpstreamMap: make(registeredHandlerMap),
 			expectedLocalQs:     []dns.Question{},
 		},
 		{
 			name:           "Disabled Service Should clean map",
 			initLocalZones: []nbdns.CustomZone{{Domain: "netbird.cloud", Records: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}}}},
-			initUpstreamMap: []handlerWrapper{
-				{
+			initUpstreamMap: registeredHandlerMap{
+				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
 					domain:   zoneRecords[0].Name,
-					handler:  &mockHandler{},
+					handler:  dummyHandler,
 					priority: PriorityUpstream,
 				},
 			},
 			initSerial:          0,
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: false},
-			expectedUpstreamMap: nil,
+			expectedUpstreamMap: make(registeredHandlerMap),
 			expectedLocalQs:     []dns.Question{},
 		},
 	}
@@ -372,7 +393,7 @@ func TestUpdateDNSServer(t *testing.T) {
 				}
 			}()

-			dnsServer.dnsMuxHandlers = testCase.initUpstreamMap
+			dnsServer.dnsMuxMap = testCase.initUpstreamMap
 			dnsServer.localResolver.Update(testCase.initLocalZones)
 			dnsServer.updateSerial = testCase.initSerial

@@ -384,20 +405,14 @@ func TestUpdateDNSServer(t *testing.T) {
 				t.Fatalf("update dns server should not fail, got error: %v", err)
 			}

-			if len(dnsServer.dnsMuxHandlers) != len(testCase.expectedUpstreamMap) {
-				t.Fatalf("update upstream failed, map size is different than expected, want %d, got %d", len(testCase.expectedUpstreamMap), len(dnsServer.dnsMuxHandlers))
+			if len(dnsServer.dnsMuxMap) != len(testCase.expectedUpstreamMap) {
+				t.Fatalf("update upstream failed, map size is different than expected, want %d, got %d", len(testCase.expectedUpstreamMap), len(dnsServer.dnsMuxMap))
 			}

-			for _, expected := range testCase.expectedUpstreamMap {
-				found := false
-				for _, got := range dnsServer.dnsMuxHandlers {
-					if got.domain == expected.domain && got.priority == expected.priority {
-						found = true
-						break
-					}
-				}
+			for key := range testCase.expectedUpstreamMap {
+				_, found := dnsServer.dnsMuxMap[key]
 				if !found {
-					t.Fatalf("update upstream failed, handler for domain=%s priority=%d not found in dnsMuxHandlers: %#v", expected.domain, expected.priority, dnsServer.dnsMuxHandlers)
+					t.Fatalf("update upstream failed, key %s was not found in the dnsMuxMap: %#v", key, dnsServer.dnsMuxMap)
 				}
 			}

@@ -497,8 +512,8 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 		}
 	}()

-	dnsServer.dnsMuxHandlers = []handlerWrapper{
-		{
+	dnsServer.dnsMuxMap = registeredHandlerMap{
+		"id1": handlerWrapper{
 			domain:   zoneRecords[0].Name,
 			handler:  &local.Resolver{},
 			priority: PriorityUpstream,
@@ -1014,15 +1029,15 @@ func (m *mockService) RegisterMux(string, dns.Handler) {}
 func (m *mockService) DeregisterMux(string)            {}

 func TestDefaultServer_UpdateMux(t *testing.T) {
-	baseMatchHandlers := []handlerWrapper{
-		{
+	baseMatchHandlers := registeredHandlerMap{
+		"upstream-group1": {
 			domain: "example.com",
 			handler: &mockHandler{
 				Id: "upstream-group1",
 			},
 			priority: PriorityUpstream,
 		},
-		{
+		"upstream-group2": {
 			domain: "example.com",
 			handler: &mockHandler{
 				Id: "upstream-group2",
@@ -1031,15 +1046,15 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 		},
 	}

-	baseRootHandlers := []handlerWrapper{
-		{
+	baseRootHandlers := registeredHandlerMap{
+		"upstream-root1": {
 			domain: ".",
 			handler: &mockHandler{
 				Id: "upstream-root1",
 			},
 			priority: PriorityDefault,
 		},
-		{
+		"upstream-root2": {
 			domain: ".",
 			handler: &mockHandler{
 				Id: "upstream-root2",
@@ -1048,22 +1063,22 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 		},
 	}

-	baseMixedHandlers := []handlerWrapper{
-		{
+	baseMixedHandlers := registeredHandlerMap{
+		"upstream-group1": {
 			domain: "example.com",
 			handler: &mockHandler{
 				Id: "upstream-group1",
 			},
 			priority: PriorityUpstream,
 		},
-		{
+		"upstream-group2": {
 			domain: "example.com",
 			handler: &mockHandler{
 				Id: "upstream-group2",
 			},
 			priority: PriorityUpstream - 1,
 		},
-		{
+		"upstream-other": {
 			domain: "other.com",
 			handler: &mockHandler{
 				Id: "upstream-other",
@@ -1074,7 +1089,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {

 	tests := []struct {
 		name             string
-		initialHandlers  []handlerWrapper
+		initialHandlers  registeredHandlerMap
 		updates          []handlerWrapper
 		expectedHandlers map[string]string // map[HandlerID]domain
 		description      string
@@ -1358,38 +1373,32 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			server := &DefaultServer{
-				dnsMuxHandlers: tt.initialHandlers,
-				handlerChain:   NewHandlerChain(),
-				service:        &mockService{},
+				dnsMuxMap:    tt.initialHandlers,
+				handlerChain: NewHandlerChain(),
+				service:      &mockService{},
 			}

 			// Perform the update
 			server.updateMux(tt.updates)

 			// Verify the results
-			assert.Equal(t, len(tt.expectedHandlers), len(server.dnsMuxHandlers),
+			assert.Equal(t, len(tt.expectedHandlers), len(server.dnsMuxMap),
 				"Number of handlers after update doesn't match expected")

 			// Check each expected handler
 			for id, expectedDomain := range tt.expectedHandlers {
-				var found *handlerWrapper
-				for i := range server.dnsMuxHandlers {
-					if server.dnsMuxHandlers[i].handler.ID() == types.HandlerID(id) {
-						found = &server.dnsMuxHandlers[i]
-						break
-					}
-				}
-				assert.NotNil(t, found, "Expected handler %s not found", id)
-				if found != nil {
-					assert.Equal(t, expectedDomain, found.domain,
+				handler, exists := server.dnsMuxMap[types.HandlerID(id)]
+				assert.True(t, exists, "Expected handler %s not found", id)
+				if exists {
+					assert.Equal(t, expectedDomain, handler.domain,
 						"Domain mismatch for handler %s", id)
 				}
 			}

 			// Verify no unexpected handlers exist
-			for _, entry := range server.dnsMuxHandlers {
-				_, expected := tt.expectedHandlers[string(entry.handler.ID())]
-				assert.True(t, expected, "Unexpected handler found: %s", entry.handler.ID())
+			for HandlerID := range server.dnsMuxMap {
+				_, expected := tt.expectedHandlers[string(HandlerID)]
+				assert.True(t, expected, "Unexpected handler found: %s", HandlerID)
 			}

 			// Verify the handlerChain state and order
@@ -1404,7 +1413,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {

 				// Verify handler exists in mux
 				foundInMux := false
-				for _, muxEntry := range server.dnsMuxHandlers {
+				for _, muxEntry := range server.dnsMuxMap {
 					if chainEntry.Handler == muxEntry.handler &&
 						chainEntry.Priority == muxEntry.priority &&
 						chainEntry.Pattern == dns.Fqdn(muxEntry.domain) {
@@ -1413,108 +1422,12 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					}
 				}
 				assert.True(t, foundInMux,
-					"Handler in chain not found in dnsMuxHandlers")
+					"Handler in chain not found in dnsMuxMap")
 			}
 		})
 	}
 }

-// chainHasPattern reports whether the handler chain holds an entry registered
-// for the given fqdn pattern at the given priority.
-func chainHasPattern(s *DefaultServer, pattern string, priority int) bool {
-	for _, h := range s.handlerChain.handlers {
-		if h.OrigPattern == pattern && h.Priority == priority {
-			return true
-		}
-	}
-	return false
-}
-
-// TestDefaultServer_UpdateMux_SharedHandlerZoneRemoval verifies that updateMux
-// tracks each (handler, domain) registration independently when one handler
-// serves multiple zones. Every custom zone is served by the same handler
-// instance (the local resolver, whose ID is the constant "local-resolver"), so
-// removing one zone must deregister exactly that zone's chain entry and leave
-// the others in place. Tracking registrations by handler ID alone collapses all
-// zones onto one entry, leaving removed zones in the chain to answer
-// authoritatively with no records.
-func TestDefaultServer_UpdateMux_SharedHandlerZoneRemoval(t *testing.T) {
-	// One handler serves every custom zone, mirroring s.localResolver.
-	shared := &mockHandler{Id: "local-resolver"}
-
-	server := &DefaultServer{
-		handlerChain: NewHandlerChain(),
-		service:      &mockService{},
-	}
-
-	// Two custom zones under the same handler. The surviving zone is registered
-	// last, mirroring the management emission order.
-	server.updateMux([]handlerWrapper{
-		{domain: "userzone.test", handler: shared, priority: PriorityLocal},
-		{domain: "peerzone.test", handler: shared, priority: PriorityLocal},
-	})
-
-	require.True(t, chainHasPattern(server, "userzone.test.", PriorityLocal),
-		"userzone.test should be registered after the first update")
-	require.True(t, chainHasPattern(server, "peerzone.test.", PriorityLocal),
-		"peerzone.test should be registered after the first update")
-
-	// Remove one zone, keep the other.
-	server.updateMux([]handlerWrapper{
-		{domain: "peerzone.test", handler: shared, priority: PriorityLocal},
-	})
-
-	assert.True(t, chainHasPattern(server, "peerzone.test.", PriorityLocal),
-		"peerzone.test should remain after removing userzone.test")
-	assert.False(t, chainHasPattern(server, "userzone.test.", PriorityLocal),
-		"userzone.test handler must be deregistered, not leaked in the chain")
-}
-
-// TestDefaultServer_UpdateMux_PreservesLocalResolver verifies that updateMux
-// does not tear down the shared local resolver during reconfiguration. The
-// resolver is a process-lifetime singleton reused across config updates;
-// Stop() cancels its lookup context (breaking external CNAME-target
-// resolution) and clears its records. updateMux must deregister its chain
-// entries without stopping it. Records surviving a teardown update is the
-// observable proxy: Stop() would have cleared them.
-func TestDefaultServer_UpdateMux_PreservesLocalResolver(t *testing.T) {
-	resolver := local.NewResolver()
-	require.NoError(t, resolver.RegisterRecord(nbdns.SimpleRecord{
-		Name:  "peer.netbird.cloud.",
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "10.0.0.1",
-	}))
-
-	server := &DefaultServer{
-		handlerChain:  NewHandlerChain(),
-		service:       &mockService{},
-		localResolver: resolver,
-	}
-
-	server.updateMux([]handlerWrapper{
-		{domain: "netbird.cloud", handler: resolver, priority: PriorityLocal},
-	})
-
-	// Remove the zone. The resolver must survive so its records and lookup
-	// context stay intact for the next registration.
-	server.updateMux(nil)
-
-	var response *dns.Msg
-	resolver.ServeDNS(&test.MockResponseWriter{
-		WriteMsgFunc: func(m *dns.Msg) error {
-			response = m
-			return nil
-		},
-	}, &dns.Msg{Question: []dns.Question{{Name: "peer.netbird.cloud.", Qtype: dns.TypeA, Qclass: dns.ClassINET}}})
-
-	require.NotNil(t, response, "local resolver should answer after teardown")
-	assert.Equal(t, dns.RcodeSuccess, response.Rcode,
-		"local resolver records must survive teardown; updateMux must not Stop() the shared resolver")
-	assert.NotEmpty(t, response.Answer, "answer should contain the surviving record")
-}
-
 func TestExtraDomains(t *testing.T) {
 	tests := []struct {
 		name                string
@@ -2136,6 +2049,7 @@ func TestBuildUpstreamHandler_MergesGroupsPerDomain(t *testing.T) {
 		localResolver: local.NewResolver(),
 		handlerChain:  NewHandlerChain(),
 		hostManager:   &noopHostConfigurator{},
+		dnsMuxMap:     make(registeredHandlerMap),
 	}

 	groups := []*nbdns.NameServerGroup{
@@ -2293,7 +2207,7 @@ func TestEvaluateNSGroupHealth(t *testing.T) {
 	}
 }

-// healthStubHandler is a minimal dnsMuxHandlers entry that exposes a fixed
+// healthStubHandler is a minimal dnsMuxMap entry that exposes a fixed
 // UpstreamHealth snapshot, letting tests drive recomputeNSGroupStates
 // without spinning up real handlers.
 type healthStubHandler struct {
@@ -2369,11 +2283,12 @@ func newProjTestFixture(t *testing.T) *projTestFixture {
 		ctx:              context.Background(),
 		wgInterface:      &mocWGIface{},
 		statusRecorder:   recorder,
+		dnsMuxMap:        make(registeredHandlerMap),
 		selectedRoutes:   func() route.HAMap { return fx.selected },
 		activeRoutes:     func() route.HAMap { return fx.active },
 		warningDelayBase: defaultWarningDelayBase,
 	}
-	fx.server.dnsMuxHandlers = []handlerWrapper{{domain: "example.com", handler: fx.stub, priority: PriorityUpstream}}
+	fx.server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: fx.stub, priority: PriorityUpstream}

 	fx.server.mux.Lock()
 	fx.server.updateNSGroupStates([]*nbdns.NameServerGroup{fx.group})
@@ -2480,6 +2395,7 @@ func TestProjection_OverlayAddrNoRouteDelaysWarning(t *testing.T) {
 		ctx:              context.Background(),
 		wgInterface:      &mocWGIface{},
 		statusRecorder:   recorder,
+		dnsMuxMap:        make(registeredHandlerMap),
 		selectedRoutes:   func() route.HAMap { return nil },
 		activeRoutes:     func() route.HAMap { return nil },
 		warningDelayBase: 50 * time.Millisecond,
@@ -2491,7 +2407,7 @@ func TestProjection_OverlayAddrNoRouteDelaysWarning(t *testing.T) {
 	stub := &healthStubHandler{health: map[netip.AddrPort]UpstreamHealth{
 		overlayPeer: {LastFail: time.Now(), LastErr: "timeout"},
 	}}
-	server.dnsMuxHandlers = []handlerWrapper{{domain: "example.com", handler: stub, priority: PriorityUpstream}}
+	server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: stub, priority: PriorityUpstream}

 	server.mux.Lock()
 	server.updateNSGroupStates([]*nbdns.NameServerGroup{group})
@@ -2528,6 +2444,7 @@ func TestProjection_StopClearsHealthState(t *testing.T) {
 		service:           NewServiceViaMemory(wgIface),
 		hostManager:       &noopHostConfigurator{},
 		extraDomains:      map[domain.Domain]int{},
+		dnsMuxMap:         make(registeredHandlerMap),
 		statusRecorder:    peer.NewRecorder("mgm"),
 		selectedRoutes:    func() route.HAMap { return nil },
 		activeRoutes:      func() route.HAMap { return nil },
@@ -2542,7 +2459,7 @@ func TestProjection_StopClearsHealthState(t *testing.T) {
 		NameServers: []nbdns.NameServer{{IP: srv.Addr(), NSType: nbdns.UDPNameServerType, Port: int(srv.Port())}},
 	}
 	stub := &healthStubHandler{health: map[netip.AddrPort]UpstreamHealth{srv: {LastOk: time.Now()}}}
-	server.dnsMuxHandlers = []handlerWrapper{{domain: "example.com", handler: stub, priority: PriorityUpstream}}
+	server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: stub, priority: PriorityUpstream}

 	server.mux.Lock()
 	server.updateNSGroupStates([]*nbdns.NameServerGroup{group})
@@ -2567,32 +2484,6 @@ func TestProjection_StopClearsHealthState(t *testing.T) {
 // rule 3: startup failures while the peer is handshaking, then the peer
 // comes up and a query succeeds before the grace window elapses. No
 // warning should ever have fired, and no recovery either.
-func TestWarningDelayBaseFromEnv(t *testing.T) {
-	tests := []struct {
-		name string
-		set  bool
-		val  string
-		want time.Duration
-	}{
-		{name: "unset uses default", set: false, want: defaultWarningDelayBase},
-		{name: "valid override", set: true, val: "90s", want: 90 * time.Second},
-		{name: "valid minutes", set: true, val: "2m", want: 2 * time.Minute},
-		{name: "invalid falls back", set: true, val: "notaduration", want: defaultWarningDelayBase},
-		{name: "zero falls back", set: true, val: "0s", want: defaultWarningDelayBase},
-		{name: "negative falls back", set: true, val: "-30s", want: defaultWarningDelayBase},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Setenv(envWarningDelay, tc.val)
-			if !tc.set {
-				os.Unsetenv(envWarningDelay)
-			}
-			assert.Equal(t, tc.want, warningDelayBaseFromEnv(), "grace window base")
-		})
-	}
-}
-
 func TestProjection_OverlayRecoversDuringGrace(t *testing.T) {
 	fx := newProjTestFixture(t)
 	fx.server.warningDelayBase = 200 * time.Millisecond
@@ -2704,6 +2595,7 @@ func TestProjection_MixedGroupEmitsImmediately(t *testing.T) {
 	server := &DefaultServer{
 		ctx:              context.Background(),
 		statusRecorder:   recorder,
+		dnsMuxMap:        make(registeredHandlerMap),
 		selectedRoutes:   func() route.HAMap { return overlayMap },
 		activeRoutes:     func() route.HAMap { return nil },
 		warningDelayBase: time.Hour,
@@ -2721,7 +2613,7 @@ func TestProjection_MixedGroupEmitsImmediately(t *testing.T) {
 			overlay: {LastFail: time.Now(), LastErr: "timeout"},
 		},
 	}
-	server.dnsMuxHandlers = []handlerWrapper{{domain: "example.com", handler: stub, priority: PriorityUpstream}}
+	server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: stub, priority: PriorityUpstream}

 	server.mux.Lock()
 	server.updateNSGroupStates([]*nbdns.NameServerGroup{group})
@@ -2748,6 +2640,7 @@ func TestDNSLoopPrevention(t *testing.T) {
 		localResolver: local.NewResolver(),
 		handlerChain:  NewHandlerChain(),
 		hostManager:   &noopHostConfigurator{},
+		dnsMuxMap:     make(registeredHandlerMap),
 	}

 	tests := []struct {
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -443,32 +443,29 @@ func (u *upstreamResolverBase) queryUpstream(parentCtx context.Context, r *dns.M
 		return raceResult{}, &upstreamFailure{upstream: upstream, reason: "no response"}
 	}

-	// A valid response means the upstream is reachable, whatever the Rcode.
-	u.markUpstreamOk(upstream)
-
 	proto := ""
 	if upstreamProto != nil {
 		proto = upstreamProto.protocol
 	}

 	if rm.Rcode == dns.RcodeServerFailure || rm.Rcode == dns.RcodeRefused {
-		// SERVFAIL and REFUSED are per-question outcomes (DNSSEC-bogus names,
-		// refused zones, transient recursion errors), not reachability
-		// problems: fail over for a better answer but keep the upstream healthy.
 		if code, ok := nonRetryableEDE(rm); ok {
 			if !hadEdns {
-				resutil.StripOPT(rm)
+				stripOPT(rm)
 			}
+			u.markUpstreamOk(upstream)
 			return raceResult{msg: rm, upstream: upstream, protocol: proto, ede: edeName(code)}, nil
 		}
 		reason := dns.RcodeToString[rm.Rcode]
+		u.markUpstreamFail(upstream, reason)
 		return raceResult{}, &upstreamFailure{upstream: upstream, reason: reason}
 	}

 	if !hadEdns {
-		resutil.StripOPT(rm)
+		stripOPT(rm)
 	}

+	u.markUpstreamOk(upstream)
 	return raceResult{msg: rm, upstream: upstream, protocol: proto}, nil
 }

@@ -523,6 +520,22 @@ func upstreamUDPSize() uint16 {
 	return dns.MinMsgSize
 }

+// stripOPT removes any OPT pseudo-RRs from the response's Extra section so
+// the response complies with RFC 6891 when the client did not advertise EDNS0.
+func stripOPT(rm *dns.Msg) {
+	if len(rm.Extra) == 0 {
+		return
+	}
+	out := rm.Extra[:0]
+	for _, rr := range rm.Extra {
+		if _, ok := rr.(*dns.OPT); ok {
+			continue
+		}
+		out = append(out, rr)
+	}
+	rm.Extra = out
+}
+
 func (u *upstreamResolverBase) handleUpstreamError(err error, upstream netip.AddrPort, startTime time.Time) *upstreamFailure {
 	if !errors.Is(err, context.DeadlineExceeded) && !isTimeout(err) {
 		return &upstreamFailure{upstream: upstream, reason: err.Error()}
--- a/client/internal/dns/upstream_test.go
+++ b/client/internal/dns/upstream_test.go
@@ -517,78 +517,6 @@ func TestUpstreamResolver_HealthTracking(t *testing.T) {
 	assert.NotContains(t, health, bad, "sibling upstream should not be queried when primary answers")
 }

-// TestUpstreamResolver_HealthTracking_ResponseMeansReachable verifies that an
-// upstream which answers with SERVFAIL or REFUSED is recorded as healthy:
-// those are per-question outcomes from a reachable server and must not mark
-// the upstream unhealthy. Only transport failures (timeouts) do.
-func TestUpstreamResolver_HealthTracking_ResponseMeansReachable(t *testing.T) {
-	a := netip.MustParseAddrPort("192.0.2.10:53")
-	b := netip.MustParseAddrPort("192.0.2.11:53")
-	timeoutErr := &net.OpError{Op: "read", Err: fmt.Errorf("i/o timeout")}
-
-	tests := []struct {
-		name        string
-		respA       mockUpstreamResponse
-		respB       mockUpstreamResponse
-		wantHealthy bool
-	}{
-		{
-			name:        "both SERVFAIL are reachable",
-			respA:       mockUpstreamResponse{msg: buildMockResponse(dns.RcodeServerFailure, "")},
-			respB:       mockUpstreamResponse{msg: buildMockResponse(dns.RcodeServerFailure, "")},
-			wantHealthy: true,
-		},
-		{
-			name:        "both REFUSED are reachable",
-			respA:       mockUpstreamResponse{msg: buildMockResponse(dns.RcodeRefused, "")},
-			respB:       mockUpstreamResponse{msg: buildMockResponse(dns.RcodeRefused, "")},
-			wantHealthy: true,
-		},
-		{
-			name:        "timeout marks unhealthy",
-			respA:       mockUpstreamResponse{err: timeoutErr},
-			respB:       mockUpstreamResponse{err: timeoutErr},
-			wantHealthy: false,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			mockClient := &mockUpstreamResolverPerServer{
-				responses: map[string]mockUpstreamResponse{
-					a.String(): tc.respA,
-					b.String(): tc.respB,
-				},
-				rtt: time.Millisecond,
-			}
-
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			resolver := &upstreamResolverBase{
-				ctx:             ctx,
-				upstreamClient:  mockClient,
-				upstreamTimeout: UpstreamTimeout,
-			}
-			resolver.addRace([]netip.AddrPort{a, b})
-
-			responseWriter := &test.MockResponseWriter{WriteMsgFunc: func(m *dns.Msg) error { return nil }}
-			resolver.ServeDNS(responseWriter, new(dns.Msg).SetQuestion("example.com.", dns.TypeA))
-
-			health := resolver.UpstreamHealth()
-			require.Contains(t, health, a, "primary upstream should have a health record")
-			if tc.wantHealthy {
-				assert.False(t, health[a].LastOk.IsZero(), "responding upstream should have LastOk set")
-				assert.True(t, health[a].LastFail.IsZero(), "responding upstream should not be marked failed")
-				assert.Empty(t, health[a].LastErr, "responding upstream should have no error")
-			} else {
-				assert.False(t, health[a].LastFail.IsZero(), "timed-out upstream should be marked failed")
-				assert.NotEmpty(t, health[a].LastErr, "timed-out upstream should record an error")
-			}
-		})
-	}
-}
-
 func TestFormatFailures(t *testing.T) {
 	testCases := []struct {
 		name     string
@@ -985,6 +913,19 @@ func TestEDEName(t *testing.T) {
 	assert.Equal(t, "EDE 9999", edeName(9999), "unknown code falls back to numeric")
 }

+func TestStripOPT(t *testing.T) {
+	rm := &dns.Msg{
+		Extra: []dns.RR{
+			&dns.OPT{Hdr: dns.RR_Header{Name: ".", Rrtype: dns.TypeOPT}},
+			&dns.A{Hdr: dns.RR_Header{Name: "x.", Rrtype: dns.TypeA}, A: net.IPv4(1, 2, 3, 4)},
+		},
+	}
+	stripOPT(rm)
+	assert.Len(t, rm.Extra, 1, "OPT should be removed, A kept")
+	_, isOPT := rm.Extra[0].(*dns.OPT)
+	assert.False(t, isOPT, "remaining record must not be OPT")
+}
+
 func TestUpstreamResolver_NonRetryableEDEShortCircuits(t *testing.T) {
 	upstream1 := netip.MustParseAddrPort("192.0.2.1:53")
 	upstream2 := netip.MustParseAddrPort("192.0.2.2:53")
--- a/client/internal/dnsfwd/forwarder.go
+++ b/client/internal/dnsfwd/forwarder.go
@@ -26,15 +26,6 @@ import (
 const errResolveFailed = "failed to resolve query for domain=%s: %v"
 const upstreamTimeout = 15 * time.Second

-// EDE info codes the forwarder emits on upstream failures so the querying
-// client can see the reason without inspecting this peer's logs. They live in
-// the RFC 8914 Private Use range (49152-65535); the Go resolver never exposes a
-// real upstream EDE here, so these cannot collide with a genuine code.
-const (
-	edeNetbirdUpstreamTimeout uint16 = 49152
-	edeNetbirdUpstreamFailure uint16 = 49153
-)
-
 type resolver interface {
 	LookupNetIP(ctx context.Context, network, host string) ([]netip.Addr, error)
 }
@@ -229,7 +220,7 @@ func (f *DNSForwarder) handleDNSQuery(logger *log.Entry, w dns.ResponseWriter, q

 	result := resutil.LookupIP(ctx, f.resolver, network, qname, question.Qtype)
 	if result.Err != nil {
-		f.handleDNSError(ctx, logger, w, question, resp, qname, result, query.IsEdns0() != nil, startTime)
+		f.handleDNSError(ctx, logger, w, question, resp, qname, result, startTime)
 		return
 	}

@@ -342,7 +333,6 @@ func (f *DNSForwarder) handleDNSError(
 	resp *dns.Msg,
 	domain string,
 	result resutil.LookupResult,
-	reqHasEdns bool,
 	startTime time.Time,
 ) {
 	qType := question.Qtype
@@ -384,10 +374,6 @@ func (f *DNSForwarder) handleDNSError(
 		logger.Warnf(errResolveFailed, domain, result.Err)
 	}

-	if reqHasEdns {
-		attachEDE(resp, edeCodeFor(dnsErr), edeText(dnsErr))
-	}
-
 	f.writeResponse(logger, w, resp, domain, startTime)
 }

@@ -428,33 +414,3 @@ func (f *DNSForwarder) getMatchingEntries(domain string) (route.ResID, []*Forwar

 	return selectedResId, matches
 }
-
-// edeCodeFor maps an upstream lookup error to the NetBird EDE info code.
-func edeCodeFor(dnsErr *net.DNSError) uint16 {
-	if dnsErr != nil && dnsErr.IsTimeout {
-		return edeNetbirdUpstreamTimeout
-	}
-	return edeNetbirdUpstreamFailure
-}
-
-// edeText builds the EDE extra-text describing the class of upstream failure.
-// It deliberately omits the upstream server address, which may be an internal
-// resolver and is exposed to any client permitted to use the route; the full
-// detail stays in the forwarder's local log.
-func edeText(dnsErr *net.DNSError) string {
-	if dnsErr != nil && dnsErr.IsTimeout {
-		return "netbird forwarder: upstream timeout"
-	}
-	return "netbird forwarder: upstream failure"
-}
-
-// attachEDE adds an Extended DNS Error (RFC 8914) option to the response,
-// creating the OPT pseudo-record if the response does not already carry one.
-func attachEDE(resp *dns.Msg, code uint16, text string) {
-	opt := resp.IsEdns0()
-	if opt == nil {
-		resp.SetEdns0(dns.DefaultMsgSize, false)
-		opt = resp.IsEdns0()
-	}
-	opt.Option = append(opt.Option, &dns.EDNS0_EDE{InfoCode: code, ExtraText: text})
-}
--- a/client/internal/dnsfwd/forwarder_test.go
+++ b/client/internal/dnsfwd/forwarder_test.go
@@ -16,7 +16,6 @@ import (
 	"github.com/stretchr/testify/require"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/internal/dns/resutil"
 	"github.com/netbirdio/netbird/client/internal/dns/test"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/route"
@@ -618,85 +617,6 @@ func TestDNSForwarder_ResponseCodes(t *testing.T) {
 	}
 }

-func TestDNSForwarder_UpstreamFailureEDE(t *testing.T) {
-	tests := []struct {
-		name        string
-		lookupErr   error
-		reqEdns     bool
-		wantEDE     bool
-		wantCode    uint16
-		wantTextHas string
-	}{
-		{
-			name:        "timeout with edns0",
-			lookupErr:   &net.DNSError{Err: "i/o timeout", Server: "10.0.0.53:53", IsTimeout: true},
-			reqEdns:     true,
-			wantEDE:     true,
-			wantCode:    edeNetbirdUpstreamTimeout,
-			wantTextHas: "netbird forwarder: upstream timeout",
-		},
-		{
-			name:        "server failure with edns0",
-			lookupErr:   &net.DNSError{Err: "server misbehaving", Server: "10.0.0.53:53"},
-			reqEdns:     true,
-			wantEDE:     true,
-			wantCode:    edeNetbirdUpstreamFailure,
-			wantTextHas: "netbird forwarder: upstream failure",
-		},
-		{
-			name:      "no edns0 in request omits ede",
-			lookupErr: &net.DNSError{Err: "server misbehaving", Server: "10.0.0.53:53"},
-			reqEdns:   false,
-			wantEDE:   false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			mockResolver := &MockResolver{}
-			forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
-			forwarder.resolver = mockResolver
-
-			d, err := domain.FromString("example.com")
-			require.NoError(t, err)
-			forwarder.UpdateDomains([]*ForwarderEntry{{Domain: d, ResID: "test-res"}})
-
-			mockResolver.On("LookupNetIP", mock.Anything, "ip4", "example.com.").
-				Return([]netip.Addr(nil), tt.lookupErr).Once()
-
-			query := &dns.Msg{}
-			query.SetQuestion("example.com.", dns.TypeA)
-			if tt.reqEdns {
-				query.SetEdns0(dns.DefaultMsgSize, false)
-			}
-
-			var writtenResp *dns.Msg
-			mockWriter := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					writtenResp = m
-					return nil
-				},
-			}
-
-			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
-			mockResolver.AssertExpectations(t)
-
-			require.NotNil(t, writtenResp, "expected a response")
-			assert.Equal(t, dns.RcodeServerFailure, writtenResp.Rcode, "upstream failure must be SERVFAIL")
-
-			ede, ok := resutil.ExtractEDE(writtenResp)
-			if !tt.wantEDE {
-				assert.False(t, ok, "response must not carry EDE")
-				return
-			}
-			require.True(t, ok, "response must carry EDE")
-			assert.Equal(t, tt.wantCode, ede.InfoCode, "EDE info code")
-			assert.Contains(t, ede.ExtraText, tt.wantTextHas, "EDE extra-text")
-			assert.NotContains(t, ede.ExtraText, "10.0.0.53", "must not leak upstream server address")
-		})
-	}
-}
-
 func TestDNSForwarder_TCPTruncation(t *testing.T) {
 	// Test that large UDP responses are truncated with TC bit set
 	mockResolver := &MockResolver{}
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -14,7 +14,6 @@ import (
 	"sort"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"

 	"github.com/hashicorp/go-multierror"
@@ -54,7 +53,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/client/internal/rosenpass"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
-	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/syncstore"
 	"github.com/netbirdio/netbird/client/internal/updater"
@@ -88,15 +86,6 @@ const (

 var ErrResetConnection = fmt.Errorf("reset connection")

-var ErrEngineAlreadyStarted = errors.New("engine already started")
-
-// engineRestartCount and engineLastRestart track client-restart cadence across
-// engine recreations so a restart loop is distinguishable from rare restarts.
-var (
-	engineRestartCount atomic.Int64
-	engineLastRestart  atomic.Int64
-)
-
 type EngineConfig struct {
 	WgPort      int
 	WgIfaceName string
@@ -210,8 +199,6 @@ type Engine struct {
 	ctx    context.Context
 	cancel context.CancelFunc

-	started bool
-
 	wgInterface WGIface

 	udpMux *udpmux.UniversalUDPMuxDefault
@@ -292,15 +279,9 @@ func NewEngine(
 	services EngineServices,
 	mobileDep MobileDependency,
 ) *Engine {
-	// The engine is single-use: a fresh instance is built per connection
-	// cycle (see Client.run), so the run context is created once here rather
-	// than in Start.
-	ctx, cancel := context.WithCancel(clientCtx)
 	engine := &Engine{
 		clientCtx:          clientCtx,
 		clientCancel:       clientCancel,
-		ctx:                ctx,
-		cancel:             cancel,
 		signal:             services.SignalClient,
 		signaler:           peer.NewSignaler(services.SignalClient, config.WgPrivateKey),
 		mgmClient:          services.MgmClient,
@@ -333,34 +314,8 @@ func (e *Engine) Stop() error {
 		log.Debugf("tried stopping engine that is nil")
 		return nil
 	}
-	e.cancel()
 	e.syncMsgMux.Lock()

-	e.stopLocked()
-
-	e.syncMsgMux.Unlock()
-
-	timeout := e.calculateShutdownTimeout()
-	log.Debugf("waiting for goroutines to finish with timeout: %v", timeout)
-	shutdownCtx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	if err := waitWithContext(shutdownCtx, &e.shutdownWg); err != nil {
-		log.Warnf("shutdown timeout exceeded after %v, some goroutines may still be running", timeout)
-	}
-
-	log.Infof("stopped Netbird Engine")
-
-	return nil
-}
-
-// stopLocked tears down everything Start may have brought up, in the order
-// teardown requires (DNS before the interface goes down, flow manager after).
-// The caller must hold syncMsgMux. It is shared by Stop and by Start's failure
-// path, so a partially-initialized engine is cleaned up the same way; every
-// step is nil-guarded. It does not wait on shutdownWg — the caller does that
-// after releasing the lock, since the goroutines also take syncMsgMux.
-func (e *Engine) stopLocked() {
 	if e.connMgr != nil {
 		e.connMgr.Close()
 	}
@@ -411,6 +366,10 @@ func (e *Engine) stopLocked() {
 	// so dbus and friends don't complain because of a missing interface
 	e.stopDNSServer()

+	if e.cancel != nil {
+		e.cancel()
+	}
+
 	e.jobExecutorWG.Wait() // block until job goroutines finish

 	e.close()
@@ -429,6 +388,21 @@ func (e *Engine) stopLocked() {
 	if err := e.stateManager.PersistState(context.Background()); err != nil {
 		log.Errorf("failed to persist state: %v", err)
 	}
+
+	e.syncMsgMux.Unlock()
+
+	timeout := e.calculateShutdownTimeout()
+	log.Debugf("waiting for goroutines to finish with timeout: %v", timeout)
+	shutdownCtx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	if err := waitWithContext(shutdownCtx, &e.shutdownWg); err != nil {
+		log.Warnf("shutdown timeout exceeded after %v, some goroutines may still be running", timeout)
+	}
+
+	log.Infof("stopped Netbird Engine")
+
+	return nil
 }

 // calculateShutdownTimeout returns shutdown timeout: 10s base + 100ms per peer, capped at 30s.
@@ -466,38 +440,18 @@ func waitWithContext(ctx context.Context, wg *sync.WaitGroup) error {
 // Start creates a new WireGuard tunnel interface and listens to events from Signal and Management services
 // Connections to remote peers are not established here.
 // However, they will be established once an event with a list of peers to connect to will be received from Management Service
-func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL) (err error) {
+func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL) error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()

-	// The engine is single-use. Reject a duplicate start and a start on an
-	// already-stopped engine (run context cancelled).
-	if e.started {
-		return ErrEngineAlreadyStarted
-	}
-
-	if ctxErr := e.ctx.Err(); ctxErr != nil {
-		return fmt.Errorf("engine already stopped: %w", ctxErr)
-	}
-
-	e.started = true
-
-	// Tear down any partially-initialized state on a failed start. Cancel the
-	// run context first so goroutines started before the failure (connMgr,
-	// srWatcher, monitors) unwind, then stopLocked mirrors Stop's teardown (we
-	// already hold syncMsgMux), cleaning up route/DNS/flow/state managers too,
-	// not just what close() covers.
-	defer func() {
-		if err != nil {
-			e.cancel()
-			e.stopLocked()
-		}
-	}()
-
-	if err = iface.ValidateMTU(e.config.MTU); err != nil {
+	if err := iface.ValidateMTU(e.config.MTU); err != nil {
 		return fmt.Errorf("invalid MTU configuration: %w", err)
 	}

+	if e.cancel != nil {
+		e.cancel()
+	}
+	e.ctx, e.cancel = context.WithCancel(e.clientCtx)
 	e.exposeManager = expose.NewManager(e.ctx, e.mgmClient)

 	wgIface, err := e.newWgIface()
@@ -531,11 +485,13 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)

 	initialRoutes, dnsConfig, dnsFeatureFlag, err := e.readInitialSettings()
 	if err != nil {
+		e.close()
 		return fmt.Errorf("read initial settings: %w", err)
 	}

 	dnsServer, err := e.newDnsServer(dnsConfig)
 	if err != nil {
+		e.close()
 		return fmt.Errorf("create dns server: %w", err)
 	}
 	e.dnsServer = dnsServer
@@ -570,6 +526,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)

 	if err = e.wgInterfaceCreate(); err != nil {
 		log.Errorf("failed creating tunnel interface %s: [%s]", e.config.WgIfaceName, err.Error())
+		e.close()
 		return fmt.Errorf("create wg interface: %w", err)
 	}

@@ -578,6 +535,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	}

 	if err := e.createFirewall(); err != nil {
+		e.close()
 		return err
 	}

@@ -589,6 +547,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	e.udpMux, err = e.wgInterface.Up()
 	if err != nil {
 		log.Errorf("failed to pull up wgInterface [%s]: %s", e.wgInterface.Name(), err.Error())
+		e.close()
 		return fmt.Errorf("up wg interface: %w", err)
 	}

@@ -613,7 +572,9 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 		e.acl = acl.NewDefaultManager(e.firewall)
 	}

-	if err := e.dnsServer.Initialize(); err != nil {
+	err = e.dnsServer.Initialize()
+	if err != nil {
+		e.close()
 		return fmt.Errorf("initialize dns server: %w", err)
 	}

@@ -625,9 +586,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	e.srWatcher = guard.NewSRWatcher(e.signal, e.relayManager, e.mobileDep.IFaceDiscover, iceCfg)
 	e.srWatcher.Start(peer.IsForceRelayed())

-	if err = e.receiveSignalEvents(); err != nil {
-		return err
-	}
+	e.receiveSignalEvents()
 	e.receiveManagementEvents()
 	e.receiveJobEvents()

@@ -679,6 +638,7 @@ func (e *Engine) createFirewall() error {

 func (e *Engine) initFirewall() error {
 	if err := e.routeManager.SetFirewall(e.firewall); err != nil {
+		e.close()
 		return fmt.Errorf("set firewall: %w", err)
 	}

@@ -918,23 +878,14 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	if e.ctx.Err() != nil {
 		return e.ctx.Err()
 	}
-	serial := update.GetNetworkMap().GetSerial()
-	if nm := update.GetNetworkMap(); nm != nil {
-		log.Infof("sync update: serial=%d remotePeers=%d offlinePeers=%d routes=%d firewallRules=%d checks=%d configPresent=%v remotePeersEmpty=%v",
-			nm.GetSerial(), len(nm.GetRemotePeers()), len(nm.GetOfflinePeers()), len(nm.GetRoutes()),
-			len(nm.GetFirewallRules()), len(update.GetChecks()), update.GetNetbirdConfig() != nil, nm.GetRemotePeersIsEmpty())
-	} else {
-		log.Infof("sync update: config-only (no network map), configPresent=%v", update.GetNetbirdConfig() != nil)
-	}

 	if update.NetworkMap != nil && update.NetworkMap.PeerConfig != nil {
 		e.handleAutoUpdateVersion(update.NetworkMap.PeerConfig.AutoUpdate)
 	}
-	startTime := time.Now()
+
 	if err := e.updateNetbirdConfig(update.GetNetbirdConfig()); err != nil {
 		return err
 	}
-	log.Infof("netbird config updated in %s, serial=%d", time.Since(startTime), serial)

 	// Posture checks are bound to the network map presence:
 	//   NetworkMap != nil, checks present -> apply the received checks
@@ -945,21 +896,17 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	if nm == nil {
 		return nil
 	}
-	startTime = time.Now()
+
 	if err := e.updateChecksIfNew(update.Checks); err != nil {
 		return err
 	}
-	log.Infof("checks updated in %s, serial=%d", time.Since(startTime), serial)

-	startTime = time.Now()
 	e.persistSyncResponse(update)
-	log.Infof("sync response persisted in %s, serial=%d", time.Since(startTime), serial)
+
 	// only apply new changes and ignore old ones
-	startTime = time.Now()
 	if err := e.updateNetworkMap(nm); err != nil {
 		return err
 	}
-	log.Infof("network map updated in %s, serial=%d", time.Since(startTime), serial)

 	e.statusRecorder.PublishEvent(cProto.SystemEvent_INFO, cProto.SystemEvent_SYSTEM, "Network map updated", "", nil)

@@ -1379,56 +1326,44 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {

 	dnsConfig := toDNSConfig(protoDNSConfig, e.wgInterface.Address())

-	startTime := time.Now()
 	if err := e.dnsServer.UpdateDNSServer(serial, dnsConfig); err != nil {
 		log.Errorf("failed to update dns server, err: %v", err)
 	}
-	log.Infof("updated dns server in %v, serial=%d", time.Since(startTime), serial)

 	e.routeManager.SetDNSForwarderPort(dnsConfig.ForwarderPort)

 	// apply routes first, route related actions might depend on routing being enabled
-	startTime = time.Now()
 	routes := toRoutes(networkMap.GetRoutes())
 	serverRoutes, clientRoutes := e.routeManager.ClassifyRoutes(routes)
-	log.Infof("updated routes in %v, serial=%d", time.Since(startTime), serial)
+
 	// lazy mgr needs to be aware of which routes are available before they are applied
 	if e.connMgr != nil {
 		e.connMgr.UpdateRouteHAMap(clientRoutes)
 		log.Debugf("updated lazy connection manager with %d HA groups", len(clientRoutes))
 	}

-	startTime = time.Now()
 	dnsRouteFeatureFlag := toDNSFeatureFlag(networkMap)
 	if err := e.routeManager.UpdateRoutes(serial, serverRoutes, clientRoutes, dnsRouteFeatureFlag); err != nil {
 		log.Errorf("failed to update routes: %v", err)
 	}
-	log.Infof("updated routes in %v, serial=%d", time.Since(startTime), serial)

-	startTime = time.Now()
 	if e.acl != nil {
 		e.acl.ApplyFiltering(networkMap, dnsRouteFeatureFlag)
 	}
-	log.Infof("updated filtering in %v, serial=%d", time.Since(startTime), serial)

-	startTime = time.Now()
 	fwdEntries := toRouteDomains(e.config.WgPrivateKey.PublicKey().String(), routes)
 	e.updateDNSForwarder(dnsRouteFeatureFlag, fwdEntries)
-	log.Infof("updated DNS forwarder in %v, serial=%d", time.Since(startTime), serial)

-	startTime = time.Now()
 	// Ingress forward rules
 	forwardingRules, err := e.updateForwardRules(networkMap.GetForwardingRules())
 	if err != nil {
 		log.Errorf("failed to update forward rules, err: %v", err)
 	}
-	log.Infof("updated forward rules in %v, serial=%d", time.Since(startTime), serial)

 	log.Debugf("got peers update from Management Service, total peers to connect to = %d", len(networkMap.GetRemotePeers()))

-	startTime = time.Now()
 	e.updateOfflinePeers(networkMap.GetOfflinePeers())
-	log.Infof("updated offline peers in %v, serial=%d", time.Since(startTime), serial)
+
 	// Filter out own peer from the remote peers list
 	localPubKey := e.config.WgPrivateKey.PublicKey().String()
 	remotePeers := make([]*mgmProto.RemotePeerConfig, 0, len(networkMap.GetRemotePeers()))
@@ -1446,24 +1381,20 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 			return err
 		}
 	} else {
-		startTime = time.Now()
 		err := e.removePeers(remotePeers)
 		if err != nil {
 			return err
 		}
-		log.Infof("removed peers in %v, serial=%d", time.Since(startTime), serial)
-		startTime = time.Now()
+
 		err = e.modifyPeers(remotePeers)
 		if err != nil {
 			return err
 		}
-		log.Infof("modified peers in %v, serial=%d", time.Since(startTime), serial)
-		startTime = time.Now()
+
 		err = e.addNewPeers(remotePeers)
 		if err != nil {
 			return err
 		}
-		log.Infof("added peers in %v, serial=%d", time.Since(startTime), serial)

 		e.statusRecorder.FinishPeerListModifications()

@@ -1476,11 +1407,9 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		e.updateSSHServerAuth(networkMap.GetSshAuth())
 	}

-	startTime = time.Now()
 	// must set the exclude list after the peers are added. Without it the manager can not figure out the peers parameters from the store
 	excludedLazyPeers := e.toExcludedLazyPeers(forwardingRules, remotePeers)
 	e.connMgr.SetExcludeList(e.ctx, excludedLazyPeers)
-	log.Infof("updated lazy connection manager exclude list in %v, serial=%d", time.Since(startTime), serial)

 	e.networkSerial = serial

@@ -1769,7 +1698,7 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV
 }

 // receiveSignalEvents connects to the Signal Service event stream to negotiate connection with remote peers
-func (e *Engine) receiveSignalEvents() error {
+func (e *Engine) receiveSignalEvents() {
 	e.shutdownWg.Add(1)
 	go func() {
 		defer e.shutdownWg.Done()
@@ -1785,13 +1714,6 @@ func (e *Engine) receiveSignalEvents() error {
 				return e.ctx.Err()
 			}

-			// Self-addressed heartbeat: the signal client's receive watchdog
-			// round-trips this through the server to confirm the receive stream
-			// is delivering. Liveness is already recorded before this handler.
-			if msg.GetBody().GetType() == sProto.Body_HEARTBEAT {
-				return nil
-			}
-
 			conn, ok := e.peerStore.PeerConn(msg.Key)
 			if !ok {
 				return fmt.Errorf("wrongly addressed message %s", msg.Key)
@@ -1840,12 +1762,7 @@ func (e *Engine) receiveSignalEvents() error {
 		}
 	}()

-	// todo: consider to remove this blocker. I do not see benefit to block the Start operations
-	e.signal.WaitStreamConnected(e.ctx)
-	if err := e.ctx.Err(); err != nil {
-		return fmt.Errorf("wait for signal stream: %w", err)
-	}
-	return nil
+	e.signal.WaitStreamConnected()
 }

 func (e *Engine) parseNATExternalIPMappings() []string {
@@ -1995,7 +1912,6 @@ func (e *Engine) newWgIface() (*iface.WGIface, error) {
 		WGPrivKey:    e.config.WgPrivateKey.String(),
 		MTU:          e.config.MTU,
 		TransportNet: transportNet,
-		FilterFn:     e.addrViaRoutes,
 		DisableDNS:   e.config.DisableDNS,
 	}

@@ -2212,14 +2128,7 @@ func (e *Engine) triggerClientRestart() {
 		return
 	}

-	// Cadence survives engine recreation (package-level), so a restart loop shows
-	// as a fast-climbing count with a short gap, distinct from rare intentional restarts.
-	n := engineRestartCount.Add(1)
-	var sinceLast time.Duration
-	if prev := engineLastRestart.Swap(time.Now().UnixNano()); prev != 0 {
-		sinceLast = time.Since(time.Unix(0, prev))
-	}
-	log.Infof("restarting engine (restart #%d, %s since previous)", n, sinceLast.Round(time.Second))
+	log.Info("restarting engine")
 	CtxGetState(e.ctx).Set(StatusConnecting)
 	_ = CtxGetState(e.ctx).Wrap(ErrResetConnection)
 	log.Infof("cancelling client context, engine will be recreated")
@@ -2250,21 +2159,6 @@ func (e *Engine) startNetworkMonitor() {
 	}()
 }

-func (e *Engine) addrViaRoutes(addr netip.Addr) (bool, netip.Prefix, error) {
-	var vpnRoutes []netip.Prefix
-	for _, routes := range e.routeManager.GetClientRoutes() {
-		if len(routes) > 0 && routes[0] != nil {
-			vpnRoutes = append(vpnRoutes, routes[0].Network)
-		}
-	}
-
-	if isVpn, prefix := systemops.IsAddrRouted(addr, vpnRoutes); isVpn {
-		return true, prefix, nil
-	}
-
-	return false, netip.Prefix{}, nil
-}
-
 func (e *Engine) stopDNSServer() {
 	if e.dnsServer == nil {
 		return
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -247,7 +247,7 @@ func TestEngine_SSH(t *testing.T) {
 		return
 	}

-	ctx, cancel := context.WithCancel(CtxInitState(context.Background()))
+	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()

 	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
@@ -426,7 +426,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 		return
 	}

-	ctx, cancel := context.WithCancel(CtxInitState(context.Background()))
+	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()

 	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
@@ -638,7 +638,7 @@ func TestEngine_Sync(t *testing.T) {
 		return
 	}

-	ctx, cancel := context.WithCancel(CtxInitState(context.Background()))
+	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()

 	// feed updates to Engine via mocked Management client
@@ -817,7 +817,7 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 				return
 			}

-			ctx, cancel := context.WithCancel(CtxInitState(context.Background()))
+			ctx, cancel := context.WithCancel(context.Background())
 			defer cancel()

 			wgIfaceName := fmt.Sprintf("utun%d", 104+n)
@@ -1024,7 +1024,7 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 				return
 			}

-			ctx, cancel := context.WithCancel(CtxInitState(context.Background()))
+			ctx, cancel := context.WithCancel(context.Background())
 			defer cancel()

 			wgIfaceName := fmt.Sprintf("utun%d", 104+n)
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -1024,17 +1024,14 @@ func (d *Status) GetRelayStates() []relay.ProbeResult {
 		return d.relayStates
 	}

-	// extend the list of stun, turn servers with the relay server connections
+	// extend the list of stun, turn servers with relay address
 	relayStates := slices.Clone(d.relayStates)

-	states := d.relayMgr.RelayStates()
-	if len(states) == 0 {
-		// no relay connection tracked yet; surface configured servers as
-		// unavailable with the real reconnect error when known
-		err := relayClient.ErrRelayClientNotConnected
-		if connErr := d.relayMgr.RelayConnectError(); connErr != nil {
-			err = connErr
-		}
+	// if the server connection is not established then we will use the general address
+	// in case of connection we will use the instance specific address
+	instanceAddr, _, err := d.relayMgr.RelayInstanceAddress()
+	if err != nil {
+		// TODO add their status
 		for _, r := range d.relayMgr.ServerURLs() {
 			relayStates = append(relayStates, relay.ProbeResult{
 				URI: r,
@@ -1044,14 +1041,10 @@ func (d *Status) GetRelayStates() []relay.ProbeResult {
 		return relayStates
 	}

-	for _, rs := range states {
-		relayStates = append(relayStates, relay.ProbeResult{
-			URI:       rs.URL,
-			Err:       rs.Err,
-			Transport: rs.Transport,
-		})
+	relayState := relay.ProbeResult{
+		URI: instanceAddr,
 	}
-	return relayStates
+	return append(relayStates, relayState)
 }

 func (d *Status) ForwardingRules() []firewall.ForwardRule {
@@ -1412,7 +1405,6 @@ func (fs FullStatus) ToProto() *proto.FullStatus {
 		pbRelayState := &proto.RelayState{
 			URI:       relayState.URI,
 			Available: relayState.Err == nil,
-			Transport: relayState.Transport,
 		}
 		if err := relayState.Err; err != nil {
 			pbRelayState.Error = err.Error()
--- a/client/internal/peer/worker_ice.go
+++ b/client/internal/peer/worker_ice.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"net/netip"
 	"strconv"
 	"sync"
 	"time"
@@ -165,10 +164,6 @@ func (w *WorkerICE) OnRemoteCandidate(candidate ice.Candidate, haRoutes route.HA
 		return
 	}

-	if candidateViaRoutes(candidate, haRoutes) {
-		return
-	}
-
 	if err := w.agent.AddRemoteCandidate(candidate); err != nil {
 		w.log.Errorf("error while handling remote candidate")
 		return
@@ -466,7 +461,7 @@ func (w *WorkerICE) createForwardedCandidate(srflxCandidate ice.Candidate, mappi
 }

 func (w *WorkerICE) onICESelectedCandidatePair(agent *icemaker.ThreadSafeAgent, c1, c2 ice.Candidate) {
-	w.log.Infof("selected candidate pair [local <-> remote] -> [%s <-> %s], peer %s", c1.String(), c2.String(),
+	w.log.Debugf("selected candidate pair [local <-> remote] -> [%s <-> %s], peer %s", c1.String(), c2.String(),
 		w.config.Key)

 	pairStat, ok := agent.GetSelectedCandidatePairStats()
@@ -589,34 +584,6 @@ func extraSrflxCandidate(candidate ice.Candidate) (*ice.CandidateServerReflexive
 	return ec, nil
 }

-func candidateViaRoutes(candidate ice.Candidate, clientRoutes route.HAMap) bool {
-	addr, err := netip.ParseAddr(candidate.Address())
-	if err != nil {
-		log.Errorf("Failed to parse IP address %s: %v", candidate.Address(), err)
-		return false
-	}
-
-	var routePrefixes []netip.Prefix
-	for _, routes := range clientRoutes {
-		if len(routes) > 0 && routes[0] != nil {
-			routePrefixes = append(routePrefixes, routes[0].Network)
-		}
-	}
-
-	for _, prefix := range routePrefixes {
-		// default route is handled by route exclusion / ip rules
-		if prefix.Bits() == 0 {
-			continue
-		}
-
-		if prefix.Contains(addr) {
-			log.Debugf("Ignoring candidate [%s], its address is part of routed network %s", candidate.String(), prefix)
-			return true
-		}
-	}
-	return false
-}
-
 func isRelayCandidate(candidate ice.Candidate) bool {
 	return candidate.Type() == ice.CandidateTypeRelay
 }
--- a/client/internal/profilemanager/config.go
+++ b/client/internal/profilemanager/config.go
@@ -108,10 +108,6 @@ type ConfigInput struct {

 // Config Configuration type
 type Config struct {
-	// Name is the human-readable profile name shown in CLI/UI listings.
-	// It is independent of the profile's on-disk filename (which is the ID).
-	Name string
-
 	// Wireguard private key of local peer
 	PrivateKey                    string
 	PreSharedKey                  string
@@ -274,16 +270,6 @@ func createNewConfig(input ConfigInput) (*Config, error) {
 }

 func (config *Config) apply(input ConfigInput) (updated bool, err error) {
-	if config.Name != "" {
-		sanitized, err := sanitizeDisplayName(config.Name)
-		if err != nil {
-			return false, fmt.Errorf("invalid profile name: %w", err)
-		}
-		if sanitized != config.Name {
-			config.Name = sanitized
-			updated = true
-		}
-	}
 	if config.ManagementURL == nil {
 		log.Infof("using default Management URL %s", DefaultManagementURL)
 		config.ManagementURL, err = parseURL("Management URL", DefaultManagementURL)
--- a/client/internal/profilemanager/id.go
+++ b/client/internal/profilemanager/id.go
@@ -1,118 +0,0 @@
-package profilemanager
-
-import (
-	"crypto/rand"
-	"encoding/hex"
-	"fmt"
-	"path/filepath"
-	"strings"
-	"unicode"
-	"unicode/utf8"
-)
-
-const (
-	// profileIDByteLen is the number of random bytes generated for a new
-	// profile ID. The resulting hex string is twice this length.
-	profileIDByteLen = 16
-
-	// shortIDLen is the number of leading characters of an ID we render in
-	// list output. Profiles per device are few, so 8 chars is collision-safe
-	// in practice and easy to type as a prefix.
-	shortIDLen = 8
-
-	// maxProfileNameLen caps the human-readable profile name to keep table
-	// output legible and prevent denial-of-service via huge JSON fields.
-	maxProfileNameLen = 128
-
-	// maxProfileIDLen bounds the on-disk filename we'll accept. New
-	// IDs are 32 hex chars, legacy stems are sanitized profile names. The
-	// cap is generous enough to cover both without permitting absurdly
-	// long filenames.
-	maxProfileIDLen = 64
-)
-
-type ID string
-
-// generateProfileID returns a new random hex ID for a profile file.
-func generateProfileID() (ID, error) {
-	buf := make([]byte, profileIDByteLen)
-	if _, err := rand.Read(buf); err != nil {
-		return "", fmt.Errorf("read random bytes: %w", err)
-	}
-	return ID(hex.EncodeToString(buf)), nil
-}
-
-// IsValidProfileFilenameStem reports whether id is safe to use as the stem
-// of a profile JSON filename.
-func IsValidProfileFilenameStem(id ID) bool {
-	s := id.String()
-	if s == "" || len(s) > maxProfileIDLen {
-		return false
-	}
-	if s == defaultProfileName {
-		return true
-	}
-	if strings.ContainsAny(s, `/\`) || strings.Contains(s, "..") {
-		return false
-	}
-	// filepath.Base catches any leftover separators on platforms with
-	// exotic path conventions.
-	if filepath.Base(s) != s {
-		return false
-	}
-	for _, r := range s {
-		if !(unicode.IsLetter(r) || unicode.IsDigit(r) || r == '_' || r == '-') {
-			return false
-		}
-	}
-	return true
-}
-
-// sanitizeDisplayName normalizes a user-supplied profile display name for
-// storage. It strips ASCII control characters, rejects invalid UTF-8, and
-// caps the length. Emojis, spaces, punctuation, and non-ASCII letters are
-// preserved. Returns an error if nothing usable remains.
-func sanitizeDisplayName(name string) (string, error) {
-	if !utf8.ValidString(name) {
-		return "", fmt.Errorf("name is not valid UTF-8")
-	}
-	name = StripCtrlChars(name)
-	name = strings.TrimSpace(name)
-	if name == "" {
-		return "", fmt.Errorf("name is empty after sanitization")
-	}
-	if utf8.RuneCountInString(name) > maxProfileNameLen {
-		return "", fmt.Errorf("name exceeds %d characters", maxProfileNameLen)
-	}
-	return name, nil
-}
-
-// StripCtrlChars control characters from a name before printing it.
-func StripCtrlChars(name string) string {
-	var b strings.Builder
-	b.Grow(len(name))
-	for _, r := range name {
-		// Skip C0 controls and DEL, plus C1 controls (0x80–0x9F).
-		if r < 0x20 || r == 0x7F || (r >= 0x80 && r <= 0x9F) {
-			continue
-		}
-		b.WriteRune(r)
-	}
-	return b.String()
-}
-
-// ShortID truncates an ID for display.
-func (id ID) ShortID() string {
-	if id == DefaultProfileName {
-		return DefaultProfileName
-	}
-	runes := []rune(id)
-	if len(runes) <= shortIDLen {
-		return id.String()
-	}
-	return string(runes[:shortIDLen])
-}
-
-func (id ID) String() string {
-	return string(id)
-}
--- a/client/internal/profilemanager/profilemanager.go
+++ b/client/internal/profilemanager/profilemanager.go
@@ -19,41 +19,19 @@ const (
 )

 type Profile struct {
-	// ID is the on-disk filename stem (without .json). For new profiles
-	// it is a 32-char hex string; legacy profiles created before the
-	// ID-keyed layout keep their original name as their ID. The reserved
-	// value "default" identifies the special default profile.
-	ID ID
-	// Name is the human-readable display name. Falls back to ID when the
-	// underlying JSON has no "name" field set.
-	Name string
-	// Path is the absolute path to the profile JSON. Populated by the
-	// loader so callers do not have to reconstruct it from ID + dir.
-	Path     string
+	Name     string
 	IsActive bool
 }

 func (p *Profile) FilePath() (string, error) {
-	if p.Path != "" {
-		return p.Path, nil
+	if p.Name == "" {
+		return "", fmt.Errorf("active profile name is empty")
 	}

-	id := p.ID
-	if id == "" {
-		id = ID(p.Name)
-	}
-	if id == "" {
-		return "", fmt.Errorf("profile ID is empty")
-	}
-
-	if id == defaultProfileName {
+	if p.Name == defaultProfileName {
 		return DefaultConfigPath, nil
 	}

-	if !IsValidProfileFilenameStem(id) {
-		return "", fmt.Errorf("invalid profile ID: %q", id)
-	}
-
 	username, err := user.Current()
 	if err != nil {
 		return "", fmt.Errorf("failed to get current user: %w", err)
@@ -64,13 +42,10 @@ func (p *Profile) FilePath() (string, error) {
 		return "", fmt.Errorf("failed to get config directory for user %s: %w", username.Username, err)
 	}

-	return filepath.Join(configDir, id.String()+".json"), nil
+	return filepath.Join(configDir, p.Name+".json"), nil
 }

 func (p *Profile) IsDefault() bool {
-	if p.ID != "" {
-		return p.ID == defaultProfileName
-	}
 	return p.Name == defaultProfileName
 }

@@ -82,24 +57,18 @@ func NewProfileManager() *ProfileManager {
 	return &ProfileManager{}
 }

-// GetActiveProfile returns the active profile as recorded in the local
-// user state file. Only ID is populated.
 func (pm *ProfileManager) GetActiveProfile() (*Profile, error) {
 	pm.mu.Lock()
 	defer pm.mu.Unlock()

-	id := pm.getActiveProfileState()
-	return &Profile{ID: id}, nil
+	prof := pm.getActiveProfileState()
+	return &Profile{Name: prof}, nil
 }

-// SwitchProfile records the given profile ID as active in the local user
-// state file.
-func (pm *ProfileManager) SwitchProfile(id ID) error {
-	if id != defaultProfileName && !IsValidProfileFilenameStem(id) {
-		return fmt.Errorf("invalid profile ID: %q", id)
-	}
+func (pm *ProfileManager) SwitchProfile(profileName string) error {
+	profileName = sanitizeProfileName(profileName)

-	if err := pm.setActiveProfileState(id); err != nil {
+	if err := pm.setActiveProfileState(profileName); err != nil {
 		return fmt.Errorf("failed to switch profile: %w", err)
 	}
 	return nil
@@ -116,7 +85,7 @@ func sanitizeProfileName(name string) string {
 	}, name)
 }

-func (pm *ProfileManager) getActiveProfileState() ID {
+func (pm *ProfileManager) getActiveProfileState() string {

 	configDir, err := getConfigDir()
 	if err != nil {
@@ -144,10 +113,10 @@ func (pm *ProfileManager) getActiveProfileState() ID {
 		return defaultProfileName
 	}

-	return ID(profileName)
+	return profileName
 }

-func (pm *ProfileManager) setActiveProfileState(id ID) error {
+func (pm *ProfileManager) setActiveProfileState(profileName string) error {

 	configDir, err := getConfigDir()
 	if err != nil {
@@ -156,7 +125,7 @@ func (pm *ProfileManager) setActiveProfileState(id ID) error {

 	statePath := filepath.Join(configDir, activeProfileStateFilename)

-	err = os.WriteFile(statePath, []byte(id), 0600)
+	err = os.WriteFile(statePath, []byte(profileName), 0600)
 	if err != nil {
 		return fmt.Errorf("failed to write active profile state: %w", err)
 	}
@@ -173,7 +142,7 @@ func GetLoginHint() string {
 		return ""
 	}

-	profileState, err := pm.GetProfileState(activeProf.ID)
+	profileState, err := pm.GetProfileState(activeProf.Name)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 		return ""
--- a/client/internal/profilemanager/profilemanager_test.go
+++ b/client/internal/profilemanager/profilemanager_test.go
@@ -50,14 +50,14 @@ func TestServiceManager_CreateAndGetDefaultProfile(t *testing.T) {

 			state, err := sm.GetActiveProfileState()
 			assert.NoError(t, err)
-			assert.Equal(t, defaultProfileName, state.ID.String()) // No active profile state yet
+			assert.Equal(t, state.Name, defaultProfileName) // No active profile state yet

 			err = sm.SetActiveProfileStateToDefault()
 			assert.NoError(t, err)

 			active, err := sm.GetActiveProfileState()
 			assert.NoError(t, err)
-			assert.Equal(t, "default", active.ID.String())
+			assert.Equal(t, "default", active.Name)
 		})
 	})
 }
@@ -92,14 +92,14 @@ func TestServiceManager_SetActiveProfileState(t *testing.T) {
 			currUser, err := user.Current()
 			assert.NoError(t, err)
 			sm := &ServiceManager{}
-			state := &ActiveProfileState{ID: "foo", Username: currUser.Username}
+			state := &ActiveProfileState{Name: "foo", Username: currUser.Username}
 			err = sm.SetActiveProfileState(state)
 			assert.NoError(t, err)

 			// Should error on nil or incomplete state
 			err = sm.SetActiveProfileState(nil)
 			assert.Error(t, err)
-			err = sm.SetActiveProfileState(&ActiveProfileState{ID: "", Username: ""})
+			err = sm.SetActiveProfileState(&ActiveProfileState{Name: "", Username: ""})
 			assert.Error(t, err)
 		})
 	})
--- a/client/internal/profilemanager/service.go
+++ b/client/internal/profilemanager/service.go
@@ -2,7 +2,6 @@ package profilemanager

 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -24,43 +23,12 @@ var (
 	DefaultConfigPathDir   = ""
 	DefaultConfigPath      = ""
 	ActiveProfileStatePath = ""
+)

+var (
 	ErrorOldDefaultConfigNotFound = errors.New("old default config not found")
 )

-// ErrAmbiguousHandle is returned when a profile handle (ID prefix or name)
-// matches more than one profile. Callers can render Candidates to help the
-// user disambiguate.
-type ErrAmbiguousHandle struct {
-	Handle     string
-	Candidates []Profile
-	Kind       AmbiguityKind
-}
-
-// AmbiguityKind describes which matcher produced the ambiguity, so callers
-// can tailor the error message.
-type AmbiguityKind int
-
-const (
-	AmbiguityKindIDPrefix AmbiguityKind = iota
-	AmbiguityKindName
-)
-
-// profileMeta is the minimal slice of a profile JSON we need, so we avoid
-// reading all fields
-type profileMeta struct {
-	Name string
-}
-
-func (e *ErrAmbiguousHandle) Error() string {
-	switch e.Kind {
-	case AmbiguityKindIDPrefix:
-		return fmt.Sprintf("ID prefix %q is ambiguous (matches %d profiles)", e.Handle, len(e.Candidates))
-	default:
-		return fmt.Sprintf("name %q is ambiguous (%d profiles share this name)", e.Handle, len(e.Candidates))
-	}
-}
-
 func init() {

 	DefaultConfigPathDir = "/var/lib/netbird/"
@@ -86,34 +54,25 @@ func init() {
 }

 type ActiveProfileState struct {
-	// ID is the on-disk filename stem of the active profile. The JSON tag stays
-	// as "name" for backwards compatibility with active state files written
-	// before the ID-based config files. Legacy values were profile names, which
-	// were also the legacy filename stems, so they still resolve to the correct
-	// file on disk.
-	ID       ID     `json:"name"`
+	Name     string `json:"name"`
 	Username string `json:"username"`
 }

 func (a *ActiveProfileState) FilePath() (string, error) {
-	if a.ID == "" {
-		return "", fmt.Errorf("active profile ID is empty")
+	if a.Name == "" {
+		return "", fmt.Errorf("active profile name is empty")
 	}

-	if a.ID == defaultProfileName {
+	if a.Name == defaultProfileName {
 		return DefaultConfigPath, nil
 	}

-	if !IsValidProfileFilenameStem(a.ID) {
-		return "", fmt.Errorf("invalid profile ID: %q", a.ID)
-	}
-
 	configDir, err := getConfigDirForUser(a.Username)
 	if err != nil {
 		return "", fmt.Errorf("failed to get config directory for user %s: %w", a.Username, err)
 	}

-	return filepath.Join(configDir, a.ID.String()+".json"), nil
+	return filepath.Join(configDir, a.Name+".json"), nil
 }

 type ServiceManager struct {
@@ -219,7 +178,7 @@ func (s *ServiceManager) GetActiveProfileState() (*ActiveProfileState, error) {
 				return nil, fmt.Errorf("failed to set active profile to default: %w", err)
 			}
 			return &ActiveProfileState{
-				ID:       defaultProfileName,
+				Name:     "default",
 				Username: "",
 			}, nil
 		} else {
@@ -227,12 +186,12 @@ func (s *ServiceManager) GetActiveProfileState() (*ActiveProfileState, error) {
 		}
 	}

-	if activeProfile.ID == "" {
+	if activeProfile.Name == "" {
 		if err := s.SetActiveProfileStateToDefault(); err != nil {
 			return nil, fmt.Errorf("failed to set active profile to default: %w", err)
 		}
 		return &ActiveProfileState{
-			ID:       defaultProfileName,
+			Name:     "default",
 			Username: "",
 		}, nil
 	}
@@ -257,29 +216,25 @@ func (s *ServiceManager) setDefaultActiveState() error {
 }

 func (s *ServiceManager) SetActiveProfileState(a *ActiveProfileState) error {
-	if a == nil || a.ID == "" {
+	if a == nil || a.Name == "" {
 		return errors.New("invalid active profile state")
 	}

-	if a.ID != defaultProfileName && a.Username == "" {
-		return fmt.Errorf("username must be set for non-default profiles, got: %s", a.ID)
-	}
-
-	if a.ID != defaultProfileName && !IsValidProfileFilenameStem(a.ID) {
-		return fmt.Errorf("invalid profile ID: %q", a.ID)
+	if a.Name != defaultProfileName && a.Username == "" {
+		return fmt.Errorf("username must be set for non-default profiles, got: %s", a.Name)
 	}

 	if err := util.WriteJsonWithRestrictedPermission(context.Background(), ActiveProfileStatePath, a); err != nil {
 		return fmt.Errorf("failed to write active profile state: %w", err)
 	}

-	log.Infof("active profile set to %s for %s", a.ID, a.Username)
+	log.Infof("active profile set to %s for %s", a.Name, a.Username)
 	return nil
 }

 func (s *ServiceManager) SetActiveProfileStateToDefault() error {
 	return s.SetActiveProfileState(&ActiveProfileState{
-		ID:       defaultProfileName,
+		Name:     "default",
 		Username: "",
 	})
 }
@@ -288,117 +243,57 @@ func (s *ServiceManager) DefaultProfilePath() string {
 	return DefaultConfigPath
 }

-// AddProfile creates a new profile with a generated ID. The user-supplied
-// displayName is stored inside the JSON's name field, the on-disk filename
-// uses the generated ID.
-//
-// The returned Profile carries the freshly-generated ID so callers can
-// show it to the user (and so the gRPC AddProfileResponse can include
-// it).
-func (s *ServiceManager) AddProfile(displayName, username string) (*Profile, error) {
+func (s *ServiceManager) AddProfile(profileName, username string) error {
 	configDir, err := s.getConfigDir(username)
 	if err != nil {
-		return nil, fmt.Errorf("failed to get config directory: %w", err)
+		return fmt.Errorf("failed to get config directory: %w", err)
 	}

-	displayName, err = sanitizeDisplayName(displayName)
+	profileName = sanitizeProfileName(profileName)
+
+	if profileName == defaultProfileName {
+		return fmt.Errorf("cannot create profile with reserved name: %s", defaultProfileName)
+	}
+
+	profPath := filepath.Join(configDir, profileName+".json")
+	profileExists, err := fileExists(profPath)
 	if err != nil {
-		return nil, fmt.Errorf("invalid profile name: %w", err)
+		return fmt.Errorf("failed to check if profile exists: %w", err)
+	}
+	if profileExists {
+		return ErrProfileAlreadyExists
 	}

-	id, err := generateProfileID()
-	if err != nil {
-		return nil, fmt.Errorf("generate profile id: %w", err)
-	}
-
-	profPath := filepath.Join(configDir, id.String()+".json")
 	cfg, err := createNewConfig(ConfigInput{ConfigPath: profPath})
 	if err != nil {
-		return nil, fmt.Errorf("failed to create new config: %w", err)
-	}
-	cfg.Name = displayName
-
-	if err := util.WriteJson(context.Background(), profPath, cfg); err != nil {
-		return nil, fmt.Errorf("failed to write profile config: %w", err)
+		return fmt.Errorf("failed to create new config: %w", err)
 	}

-	return &Profile{
-		ID:   id,
-		Name: displayName,
-		Path: profPath,
-	}, nil
-}
-
-func (s *ServiceManager) RenameProfile(id ID, username string, newName string) error {
-	displayName, err := sanitizeDisplayName(newName)
+	err = util.WriteJson(context.Background(), profPath, cfg)
 	if err != nil {
-		return fmt.Errorf("invalid profile name: %w", err)
+		return fmt.Errorf("failed to write profile config: %w", err)
 	}

-	if !IsValidProfileFilenameStem(id) {
-		return fmt.Errorf("invalid profile ID: %q", id)
-	}
-
-	profiles, err := s.loadAllProfiles(username)
-	if err != nil {
-		return fmt.Errorf("load profiles: %w", err)
-	}
-
-	var target *Profile
-	for i := range profiles {
-		if profiles[i].ID == id {
-			target = &profiles[i]
-			break
-		}
-	}
-	if target == nil {
-		return ErrProfileNotFound
-	}
-
-	data, err := os.ReadFile(target.Path)
-	if err != nil {
-		return err
-	}
-	var cfg Config
-	if err := json.Unmarshal(data, &cfg); err != nil {
-		return err
-	}
-	cfg.Name = displayName
-
-	if err := util.WriteJson(context.Background(), target.Path, cfg); err != nil {
-		return fmt.Errorf("failed to write profile name: %w", err)
-	}
 	return nil
 }

-// RemoveProfile deletes the profile identified by id. Callers must have
-// already resolved any user-supplied handle to a concrete ID via
-// ResolveProfile.
-func (s *ServiceManager) RemoveProfile(id ID, username string) error {
-	if id == defaultProfileName {
-		defaultName := readProfileName(DefaultConfigPath)
-		if defaultName == "" {
-			defaultName = defaultProfileName
-		}
-		return fmt.Errorf("cannot remove default profile with name: %s", defaultName)
-	}
-	if !IsValidProfileFilenameStem(id) {
-		return fmt.Errorf("invalid profile ID: %q", id)
-	}
-
-	profiles, err := s.loadAllProfiles(username)
+func (s *ServiceManager) RemoveProfile(profileName, username string) error {
+	configDir, err := s.getConfigDir(username)
 	if err != nil {
-		return fmt.Errorf("load profiles: %w", err)
+		return fmt.Errorf("failed to get config directory: %w", err)
 	}

-	var target *Profile
-	for i := range profiles {
-		if profiles[i].ID == id {
-			target = &profiles[i]
-			break
-		}
+	profileName = sanitizeProfileName(profileName)
+
+	if profileName == defaultProfileName {
+		return fmt.Errorf("cannot remove profile with reserved name: %s", defaultProfileName)
 	}
-	if target == nil {
+	profPath := filepath.Join(configDir, profileName+".json")
+	profileExists, err := fileExists(profPath)
+	if err != nil {
+		return fmt.Errorf("failed to check if profile exists: %w", err)
+	}
+	if !profileExists {
 		return ErrProfileNotFound
 	}

@@ -406,26 +301,57 @@ func (s *ServiceManager) RemoveProfile(id ID, username string) error {
 	if err != nil && !errors.Is(err, ErrNoActiveProfile) {
 		return fmt.Errorf("failed to get active profile: %w", err)
 	}
-	if activeProf != nil && activeProf.ID == id {
-		return fmt.Errorf("cannot remove active profile: %s", id)
+
+	if activeProf != nil && activeProf.Name == profileName {
+		return fmt.Errorf("cannot remove active profile: %s", profileName)
 	}

-	if err := util.RemoveJson(target.Path); err != nil {
+	err = util.RemoveJson(profPath)
+	if err != nil {
 		return fmt.Errorf("failed to remove profile config: %w", err)
 	}
-
-	stateFile := filepath.Join(filepath.Dir(target.Path), id.String()+".state.json")
-	if err := os.Remove(stateFile); err != nil && !os.IsNotExist(err) {
-		log.Warnf("failed to remove profile state file %s: %v", stateFile, err)
-	}
-
 	return nil
 }

-// ListProfiles returns every profile for the given user, including the
-// default profile, with IsActive flags set.
 func (s *ServiceManager) ListProfiles(username string) ([]Profile, error) {
-	return s.loadAllProfiles(username)
+	configDir, err := s.getConfigDir(username)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get config directory: %w", err)
+	}
+
+	files, err := util.ListFiles(configDir, "*.json")
+	if err != nil {
+		return nil, fmt.Errorf("failed to list profile files: %w", err)
+	}
+
+	var filtered []string
+	for _, file := range files {
+		if strings.HasSuffix(file, "state.json") {
+			continue // skip state files
+		}
+		filtered = append(filtered, file)
+	}
+	sort.Strings(filtered)
+
+	var activeProfName string
+	activeProf, err := s.GetActiveProfileState()
+	if err == nil {
+		activeProfName = activeProf.Name
+	}
+
+	var profiles []Profile
+	// add default profile always
+	profiles = append(profiles, Profile{Name: defaultProfileName, IsActive: activeProfName == "" || activeProfName == defaultProfileName})
+	for _, file := range filtered {
+		profileName := strings.TrimSuffix(filepath.Base(file), ".json")
+		var isActive bool
+		if activeProfName != "" && activeProfName == profileName {
+			isActive = true
+		}
+		profiles = append(profiles, Profile{Name: profileName, IsActive: isActive})
+	}
+
+	return profiles, nil
 }

 // GetStatePath returns the path to the state file based on the operating system
@@ -443,12 +369,7 @@ func (s *ServiceManager) GetStatePath() string {
 		return defaultStatePath
 	}

-	if activeProf.ID == defaultProfileName {
-		return defaultStatePath
-	}
-
-	if !IsValidProfileFilenameStem(activeProf.ID) {
-		log.Warnf("invalid active profile ID %q, using default state path", activeProf.ID)
+	if activeProf.Name == defaultProfileName {
 		return defaultStatePath
 	}

@@ -458,7 +379,7 @@ func (s *ServiceManager) GetStatePath() string {
 		return defaultStatePath
 	}

-	return filepath.Join(configDir, activeProf.ID.String()+".state.json")
+	return filepath.Join(configDir, activeProf.Name+".state.json")
 }

 // getConfigDir returns the profiles directory, using profilesDir if set, otherwise getConfigDirForUser
@@ -469,169 +390,3 @@ func (s *ServiceManager) getConfigDir(username string) (string, error) {

 	return getConfigDirForUser(username)
 }
-
-// loadAllProfiles returns every profile visible to the daemon for the
-// given user, including the default profile. The returned slice is sorted
-// by ID for a stable display order.
-//
-// Each Profile is fully populated: ID is the filename stem, Name comes
-// from the JSON's "name" field (falling back to the filename stem when absent)
-// and Path is built from a basename read off disk.
-func (s *ServiceManager) loadAllProfiles(username string) ([]Profile, error) {
-	activeID, activeIsDefault := s.activeProfileID()
-	defaultName := readProfileName(DefaultConfigPath)
-	if defaultName == "" {
-		defaultName = defaultProfileName
-	}
-
-	profiles := []Profile{{
-		ID:       defaultProfileName,
-		Name:     defaultName,
-		Path:     DefaultConfigPath,
-		IsActive: activeIsDefault,
-	}}
-
-	configDir, err := s.getConfigDir(username)
-	if err != nil {
-		return nil, fmt.Errorf("get config directory: %w", err)
-	}
-
-	entries, err := os.ReadDir(configDir)
-	if err != nil {
-		if errors.Is(err, os.ErrNotExist) {
-			return profiles, nil
-		}
-		return nil, fmt.Errorf("read profile directory: %w", err)
-	}
-
-	var fileProfiles []Profile
-	for _, entry := range entries {
-		if entry.IsDir() {
-			continue
-		}
-		base := entry.Name()
-		if !strings.HasSuffix(base, ".json") {
-			continue
-		}
-		if strings.HasSuffix(base, ".state.json") {
-			continue
-		}
-		stem := ID(strings.TrimSuffix(base, ".json"))
-		if stem == defaultProfileName {
-			// default lives at the top-level config dir, not under /<user>
-			continue
-		}
-		if !IsValidProfileFilenameStem(ID(stem)) {
-			continue
-		}
-		path := filepath.Join(configDir, base)
-		name := readProfileName(path)
-		if name == "" {
-			name = stem.String()
-		}
-		fileProfiles = append(fileProfiles, Profile{
-			ID:       stem,
-			Name:     name,
-			Path:     path,
-			IsActive: stem == ID(activeID),
-		})
-	}
-
-	sort.Slice(fileProfiles, func(i, j int) bool {
-		if fileProfiles[i].Name != fileProfiles[j].Name {
-			return fileProfiles[i].Name < fileProfiles[j].Name
-		}
-		// Sort tie-break on ID so duplicate names always render in the same order.
-		return fileProfiles[i].ID < fileProfiles[j].ID
-	})
-	profiles = append(profiles, fileProfiles...)
-	return profiles, nil
-}
-
-// readProfileName parses just the "name" field from the profile Json.
-func readProfileName(path string) string {
-	data, err := os.ReadFile(path)
-	if err != nil {
-		return ""
-	}
-	var meta profileMeta
-	if err := json.Unmarshal(data, &meta); err != nil {
-		return ""
-	}
-	return meta.Name
-}
-
-// activeProfileID returns the currently-active profile's ID. The second
-// return value is true when the active profile is the default one.
-func (s *ServiceManager) activeProfileID() (ID, bool) {
-	state, err := s.GetActiveProfileState()
-	if err != nil || state == nil {
-		return defaultProfileName, true
-	}
-	if state.ID == "" || state.ID == defaultProfileName {
-		return defaultProfileName, true
-	}
-	return state.ID, false
-}
-
-// ResolveProfile turns a user-supplied handle into a Profile. Resolution
-// precedence is: exact ID match, then unique exact name, then unique ID
-// prefix. Ambiguous matches return *ErrAmbiguousHandle so callers can
-// surface the candidates.
-func (s *ServiceManager) ResolveProfile(handle, username string) (*Profile, error) {
-	if handle == "" {
-		return nil, fmt.Errorf("profile handle is empty")
-	}
-
-	profiles, err := s.loadAllProfiles(username)
-	if err != nil {
-		return nil, err
-	}
-
-	for i := range profiles {
-		if profiles[i].ID == ID(handle) {
-			return &profiles[i], nil
-		}
-	}
-
-	var nameMatches []Profile
-	for i := range profiles {
-		if profiles[i].Name == handle {
-			nameMatches = append(nameMatches, profiles[i])
-		}
-	}
-	if len(nameMatches) == 1 {
-		return &nameMatches[0], nil
-	}
-	if len(nameMatches) > 1 {
-		return nil, &ErrAmbiguousHandle{
-			Handle:     handle,
-			Candidates: nameMatches,
-			Kind:       AmbiguityKindName,
-		}
-	}
-
-	// ID prefix match. Skip the default profile so `select d` does not
-	// accidentally pick it via prefix.
-	var prefixMatches []Profile
-	for i := range profiles {
-		if profiles[i].ID == defaultProfileName {
-			continue
-		}
-		if strings.HasPrefix(profiles[i].ID.String(), handle) {
-			prefixMatches = append(prefixMatches, profiles[i])
-		}
-	}
-	if len(prefixMatches) == 1 {
-		return &prefixMatches[0], nil
-	}
-	if len(prefixMatches) > 1 {
-		return nil, &ErrAmbiguousHandle{
-			Handle:     handle,
-			Candidates: prefixMatches,
-			Kind:       AmbiguityKindIDPrefix,
-		}
-	}
-
-	return nil, ErrProfileNotFound
-}
--- a/client/internal/profilemanager/service_test.go
+++ b/client/internal/profilemanager/service_test.go
@@ -1,230 +0,0 @@
-package profilemanager
-
-import (
-	"context"
-	"errors"
-	"os"
-	"os/user"
-	"path/filepath"
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/util"
-)
-
-// withTestSM wires up patched globals + a clean config dir and returns a
-// fully initialized ServiceManager plus the username we are scoped to.
-func withTestSM(t *testing.T, fn func(sm *ServiceManager, username string)) {
-	t.Helper()
-	withTempConfigDir(t, func(configDir string) {
-		withPatchedGlobals(t, configDir, func() {
-			u, err := user.Current()
-			require.NoError(t, err)
-			sm := &ServiceManager{}
-			require.NoError(t, sm.CreateDefaultProfile())
-			fn(sm, u.Username)
-		})
-	})
-}
-
-func TestServiceProfile_ExactID(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		created, err := sm.AddProfile("work", username)
-		require.NoError(t, err)
-
-		got, err := sm.ResolveProfile(created.ID.String(), username)
-		require.NoError(t, err)
-		assert.Equal(t, created.ID, got.ID)
-		assert.Equal(t, "work", got.Name)
-	})
-}
-
-func TestServiceProfile_IDPrefix(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		created, err := sm.AddProfile("work", username)
-		require.NoError(t, err)
-
-		prefix := created.ID[:4]
-		got, err := sm.ResolveProfile(prefix.String(), username)
-		require.NoError(t, err)
-		assert.Equal(t, created.ID, got.ID)
-	})
-}
-
-func TestServiceProfile_AmbiguousPrefix(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		// Plant two profiles whose IDs share a known prefix by writing
-		// the files directly, since generated IDs are random.
-		configDir, err := sm.getConfigDir(username)
-		require.NoError(t, err)
-		for _, id := range []string{"abcd1111aaaa", "abcd2222bbbb"} {
-			path := filepath.Join(configDir, id+".json")
-			require.NoError(t, util.WriteJson(context.Background(), path, &Config{Name: id}))
-		}
-
-		_, err = sm.ResolveProfile("abcd", username)
-		var amb *ErrAmbiguousHandle
-		require.ErrorAs(t, err, &amb)
-		assert.Equal(t, AmbiguityKindIDPrefix, amb.Kind)
-		assert.Len(t, amb.Candidates, 2)
-	})
-}
-
-func TestServiceProfile_ExactNameUnique(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		_, err := sm.AddProfile("work", username)
-		require.NoError(t, err)
-
-		got, err := sm.ResolveProfile("work", username)
-		require.NoError(t, err)
-		assert.Equal(t, "work", got.Name)
-	})
-}
-
-func TestServiceProfile_AmbiguousName(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		_, err := sm.AddProfile("work", username)
-		require.NoError(t, err)
-		_, err = sm.AddProfile("work", username)
-		require.NoError(t, err)
-
-		_, err = sm.ResolveProfile("work", username)
-		var amb *ErrAmbiguousHandle
-		require.ErrorAs(t, err, &amb)
-		assert.Equal(t, AmbiguityKindName, amb.Kind)
-		assert.Len(t, amb.Candidates, 2)
-	})
-}
-
-func TestServiceProfile_NotFound(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		_, err := sm.ResolveProfile("nope", username)
-		assert.ErrorIs(t, err, ErrProfileNotFound)
-	})
-}
-
-func TestServiceProfile_DefaultByExactID(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		got, err := sm.ResolveProfile(defaultProfileName, username)
-		require.NoError(t, err)
-		assert.Equal(t, defaultProfileName, got.ID.String())
-	})
-}
-
-func TestServiceProfile_LegacyFilenameCoexists(t *testing.T) {
-	// Legacy profiles stored as <name>.json with no "name" JSON field
-	// should still be discoverable by name and removable by name.
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		configDir, err := sm.getConfigDir(username)
-		require.NoError(t, err)
-		path := filepath.Join(configDir, "legacy.json")
-		require.NoError(t, util.WriteJson(context.Background(), path, &Config{}))
-
-		got, err := sm.ResolveProfile("legacy", username)
-		require.NoError(t, err)
-		assert.Equal(t, "legacy", got.ID.String())
-		// Name falls back to the filename stem when JSON omits it.
-		assert.Equal(t, "legacy", got.Name)
-	})
-}
-
-func TestAddProfile_AllowsDuplicateWithFlag(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		first, err := sm.AddProfile("work", username)
-		require.NoError(t, err)
-
-		second, err := sm.AddProfile("work", username)
-		require.NoError(t, err)
-		assert.NotEqual(t, first.ID, second.ID)
-		assert.Equal(t, "work", second.Name)
-	})
-}
-
-func TestAddProfile_RejectsInvalidNames(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		cases := []string{
-			"",                                       // empty
-			"\x00\x01",                               // only control chars (becomes empty)
-			strings.Repeat("a", maxProfileNameLen+1), // too long
-		}
-		for _, name := range cases {
-			_, err := sm.AddProfile(name, username)
-			assert.Error(t, err, "expected error for %q", name)
-		}
-	})
-}
-
-func TestRemoveProfile_RejectsInvalidID(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		err := sm.RemoveProfile("../escape", username)
-		assert.Error(t, err)
-	})
-}
-
-func TestSanitizeDisplayName(t *testing.T) {
-	cases := []struct {
-		in      string
-		want    string
-		wantErr bool
-	}{
-		{"work", "work", false},
-		{"My Work Account", "My Work Account", false},
-		{"emoji 🚀 ok", "emoji 🚀 ok", false},
-		{"漢字テスト", "漢字テスト", false},
-		{"with\x00null", "withnull", false},
-		{"\x01\x02\x03", "", true},
-		{"", "", true},
-	}
-	for _, tc := range cases {
-		got, err := sanitizeDisplayName(tc.in)
-		if tc.wantErr {
-			assert.Error(t, err, "case %q", tc.in)
-			continue
-		}
-		assert.NoError(t, err, "case %q", tc.in)
-		assert.Equal(t, tc.want, got, "case %q", tc.in)
-	}
-}
-
-func TestIsValidProfileFilenameStem(t *testing.T) {
-	cases := []struct {
-		in   string
-		want bool
-	}{
-		{"default", true},
-		{"abc123def456", true},
-		{"legacy-name", true},
-		{"legacy_name", true},
-		{"", false},
-		{"..", false},
-		{"../etc", false},
-		{"foo/bar", false},
-		{`foo\bar`, false},
-		{"with space", false},
-		{"with.dot", false},
-		{strings.Repeat("a", maxProfileIDLen+1), false},
-	}
-	for _, tc := range cases {
-		got := IsValidProfileFilenameStem(ID(tc.in))
-		assert.Equal(t, tc.want, got, "case %q", tc.in)
-	}
-}
-
-func TestRemoveProfile_DeletesStateFile(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		created, err := sm.AddProfile("work", username)
-		require.NoError(t, err)
-
-		configDir, err := sm.getConfigDir(username)
-		require.NoError(t, err)
-		statePath := filepath.Join(configDir, created.ID.String()+".state.json")
-		require.NoError(t, os.WriteFile(statePath, []byte(`{"email":"a@b"}`), 0600))
-
-		require.NoError(t, sm.RemoveProfile(created.ID, username))
-		_, err = os.Stat(statePath)
-		assert.True(t, errors.Is(err, os.ErrNotExist), "state file should be removed")
-	})
-}
--- a/client/internal/profilemanager/state.go
+++ b/client/internal/profilemanager/state.go
@@ -13,20 +13,13 @@ type ProfileState struct {
 	Email string `json:"email"`
 }

-// GetProfileState reads the per-profile state file keyed by profile ID.
-// The state file lives in the user's config directory. Legacy state files
-// keyed by the old profile name remain readable.
-func (pm *ProfileManager) GetProfileState(id ID) (*ProfileState, error) {
+func (pm *ProfileManager) GetProfileState(profileName string) (*ProfileState, error) {
 	configDir, err := getConfigDir()
 	if err != nil {
 		return nil, fmt.Errorf("get config directory: %w", err)
 	}

-	if id != defaultProfileName && !IsValidProfileFilenameStem(id) {
-		return nil, fmt.Errorf("invalid profile ID: %q", id)
-	}
-
-	stateFile := filepath.Join(configDir, id.String()+".state.json")
+	stateFile := filepath.Join(configDir, profileName+".state.json")
 	stateFileExists, err := fileExists(stateFile)
 	if err != nil {
 		return nil, fmt.Errorf("failed to check if profile state file exists: %w", err)
@@ -58,12 +51,7 @@ func (pm *ProfileManager) SetActiveProfileState(state *ProfileState) error {
 		return fmt.Errorf("get active profile: %w", err)
 	}

-	id := activeProf.ID
-	if id != defaultProfileName && !IsValidProfileFilenameStem(id) {
-		return fmt.Errorf("invalid active profile ID: %q", id)
-	}
-
-	stateFile := filepath.Join(configDir, id.String()+".state.json")
+	stateFile := filepath.Join(configDir, activeProf.Name+".state.json")
 	err = util.WriteJsonWithRestrictedPermission(context.Background(), stateFile, state)
 	if err != nil {
 		return fmt.Errorf("write profile state: %w", err)
--- a/client/internal/relay/relay.go
+++ b/client/internal/relay/relay.go
@@ -32,9 +32,6 @@ type ProbeResult struct {
 	URI  string
 	Err  error
 	Addr string
-	// Transport is the negotiated relay transport, empty
-	// for stun/turn probes or when not connected.
-	Transport string
 }

 type StunTurnProbe struct {
--- a/client/internal/routemanager/dnsinterceptor/handler.go
+++ b/client/internal/routemanager/dnsinterceptor/handler.go
@@ -251,14 +251,6 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		r.MsgHdr.AuthenticatedData = true
 	}

-	// Advertise EDNS0 to the forwarder so it may return an Extended DNS Error
-	// describing why a lookup failed. The OPT is stripped from the reply when
-	// the original client did not request EDNS0.
-	hadEdns := r.IsEdns0() != nil
-	if !hadEdns {
-		r.SetEdns0(dns.DefaultMsgSize, false)
-	}
-
 	upstream := net.JoinHostPort(upstreamIP.String(), strconv.FormatUint(uint64(d.forwarderPort.Load()), 10))
 	ctx, cancel := context.WithTimeout(context.Background(), dnsTimeout)
 	defer cancel()
@@ -268,13 +260,6 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		return
 	}

-	if ede, ok := resutil.ExtractEDE(reply); ok {
-		resutil.SetMeta(w, "ede", fmt.Sprintf("%d %s", ede.InfoCode, ede.ExtraText))
-	}
-	if !hadEdns {
-		resutil.StripOPT(reply)
-	}
-
 	resutil.SetMeta(w, "peer", peerKey)

 	reply.Id = r.Id
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -333,8 +333,6 @@ func (m *DefaultManager) Stop(stateManager *statemanager.Manager) {
 		}
 	}

-	m.notifier.Close()
-
 	m.mux.Lock()
 	defer m.mux.Unlock()
 	m.clientRoutes = nil
--- a/client/internal/routemanager/notifier/notifier_android.go
+++ b/client/internal/routemanager/notifier/notifier_android.go
@@ -16,7 +16,7 @@ import (
 type Notifier struct {
 	initialRoutes []*route.Route
 	currentRoutes []*route.Route
-	fakeIPRoutes  []*route.Route
+	fakeIPRoutes []*route.Route

 	listener    listener.NetworkChangeListener
 	listenerMux sync.Mutex
@@ -119,7 +119,3 @@ func (n *Notifier) GetInitialRouteRanges() []string {
 	sort.Strings(initialStrings)
 	return initialStrings
 }
-
-func (n *Notifier) Close() {
-	// unused
-}
--- a/client/internal/routemanager/notifier/notifier_ios.go
+++ b/client/internal/routemanager/notifier/notifier_ios.go
@@ -3,7 +3,6 @@
 package notifier

 import (
-	"container/list"
 	"net/netip"
 	"slices"
 	"sort"
@@ -15,26 +14,19 @@ import (
 )

 type Notifier struct {
-	mu              sync.Mutex
-	cond            *sync.Cond
 	currentPrefixes []string
-	listener        listener.NetworkChangeListener
-	queue           *list.List
-	closed          bool
+
+	listener    listener.NetworkChangeListener
+	listenerMux sync.Mutex
 }

 func NewNotifier() *Notifier {
-	n := &Notifier{
-		queue: list.New(),
-	}
-	n.cond = sync.NewCond(&n.mu)
-	go n.deliverLoop()
-	return n
+	return &Notifier{}
 }

 func (n *Notifier) SetListener(listener listener.NetworkChangeListener) {
-	n.mu.Lock()
-	defer n.mu.Unlock()
+	n.listenerMux.Lock()
+	defer n.listenerMux.Unlock()
 	n.listener = listener
 }

@@ -51,52 +43,32 @@ func (n *Notifier) OnNewRoutes(route.HAMap) {
 }

 func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
-	newNets := make([]string, 0, len(prefixes))
+	newNets := make([]string, 0)
 	for _, prefix := range prefixes {
 		newNets = append(newNets, prefix.String())
 	}

 	sort.Strings(newNets)

-	n.mu.Lock()
 	if slices.Equal(n.currentPrefixes, newNets) {
-		n.mu.Unlock()
 		return
 	}
-	n.currentPrefixes = newNets
-	routes := strings.Join(n.currentPrefixes, ",")
-	n.queue.PushBack(routes)
-	n.cond.Signal()
-	n.mu.Unlock()
-}

-func (n *Notifier) Close() {
-	n.mu.Lock()
-	n.closed = true
-	n.cond.Signal()
-	n.mu.Unlock()
+	n.currentPrefixes = newNets
+	n.notify()
+}
+func (n *Notifier) notify() {
+	n.listenerMux.Lock()
+	defer n.listenerMux.Unlock()
+	if n.listener == nil {
+		return
+	}
+
+	go func(l listener.NetworkChangeListener) {
+		l.OnNetworkChanged(strings.Join(n.currentPrefixes, ","))
+	}(n.listener)
 }

 func (n *Notifier) GetInitialRouteRanges() []string {
 	return nil
 }
-
-func (n *Notifier) deliverLoop() {
-	for {
-		n.mu.Lock()
-		for n.queue.Len() == 0 && !n.closed {
-			n.cond.Wait()
-		}
-		if n.closed && n.queue.Len() == 0 {
-			n.mu.Unlock()
-			return
-		}
-		routes := n.queue.Remove(n.queue.Front()).(string)
-		l := n.listener
-		n.mu.Unlock()
-
-		if l != nil {
-			l.OnNetworkChanged(routes)
-		}
-	}
-}
--- a/client/internal/routemanager/notifier/notifier_other.go
+++ b/client/internal/routemanager/notifier/notifier_other.go
@@ -38,7 +38,3 @@ func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
 func (n *Notifier) GetInitialRouteRanges() []string {
 	return []string{}
 }
-
-func (n *Notifier) Close() {
-	// unused
-}
--- a/client/internal/routemanager/systemops/systemops_generic.go
+++ b/client/internal/routemanager/systemops/systemops_generic.go
@@ -121,9 +121,12 @@ func (r *SysOps) addRouteToNonVPNIntf(prefix netip.Prefix, vpnIntf wgIface, init
 		return Nexthop{}, vars.ErrRouteNotAllowed
 	}

-	// Check if the prefix is part of any local subnets
-	if isLocal, subnet := r.isPrefixInLocalSubnets(prefix); isLocal {
-		return Nexthop{}, fmt.Errorf("prefix %s is part of local subnet %s: %w", prefix, subnet, vars.ErrRouteNotAllowed)
+	// BSDs blackhole a /32 added inside a directly-connected subnet; Linux/Windows need it to beat the wt0 route.
+	switch runtime.GOOS {
+	case "darwin", "freebsd", "netbsd", "openbsd", "dragonfly":
+		if isLocal, subnet := r.isPrefixInLocalSubnets(prefix); isLocal {
+			return Nexthop{}, fmt.Errorf("prefix %s is part of local subnet %s: %w", prefix, subnet, vars.ErrRouteNotAllowed)
+		}
 	}

 	// Determine the exit interface and next hop for the prefix, so we can add a specific route
--- a/client/ios/NetBirdSDK/login.go
+++ b/client/ios/NetBirdSDK/login.go
@@ -36,7 +36,6 @@ type URLOpener interface {
 // Auth can register or login new client
 type Auth struct {
 	ctx     context.Context
-	cancel  context.CancelFunc
 	config  *profilemanager.Config
 	cfgPath string
 }
@@ -52,19 +51,8 @@ func NewAuth(cfgPath string, mgmURL string) (*Auth, error) {
 		return nil, err
 	}

-	// Use a cancellable context so Stop() can abort an in-progress interactive
-	// login. The PKCE flow's WaitToken blocks (and keeps its loopback HTTP server
-	// bound to a port) until the OAuth callback arrives or the flow expires;
-	// cancelling the context unblocks WaitToken, which then shuts that server down
-	// and frees the port for the next login attempt. iOS runs login in the main-app
-	// process (decoupled from the network extension), so without this the server
-	// lingers after the user dismisses the browser and the next connect stalls
-	// trying to bind the same port.
-	ctx, cancel := context.WithCancel(context.Background())
-
 	return &Auth{
-		ctx:     ctx,
-		cancel:  cancel,
+		ctx:     context.Background(),
 		config:  cfg,
 		cfgPath: cfgPath,
 	}, nil
@@ -72,24 +60,12 @@ func NewAuth(cfgPath string, mgmURL string) (*Auth, error) {

 // NewAuthWithConfig instantiate Auth based on existing config
 func NewAuthWithConfig(ctx context.Context, config *profilemanager.Config) *Auth {
-	ctx, cancel := context.WithCancel(ctx)
 	return &Auth{
 		ctx:    ctx,
-		cancel: cancel,
 		config: config,
 	}
 }

-// Stop aborts an in-progress interactive login started via Login/LoginWithDeviceName.
-// It cancels the auth context, which unblocks the PKCE WaitToken and shuts down its
-// loopback HTTP server, freeing the redirect port. Safe to call multiple times and
-// safe to call when no login is running.
-func (a *Auth) Stop() {
-	if a.cancel != nil {
-		a.cancel()
-	}
-}
-
 // SaveConfigIfSSOSupported test the connectivity with the management server by retrieving the server device flow info.
 // If it returns a flow info than save the configuration and return true. If it gets a codes.NotFound, it means that SSO
 // is not supported and returns false without saving the configuration. For other errors return false.
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -85,8 +85,6 @@ service DaemonService {

  rpc AddProfile(AddProfileRequest) returns (AddProfileResponse) {}

-  rpc RenameProfile(RenameProfileRequest) returns (RenameProfileResponse) {}
-
  rpc RemoveProfile(RemoveProfileRequest) returns (RemoveProfileResponse) {}

  rpc ListProfiles(ListProfilesRequest) returns (ListProfilesResponse) {}
@@ -380,9 +378,6 @@ message RelayState {
  string URI = 1;
  bool available = 2;
  string error = 3;
-  // transport is the negotiated relay transport (e.g. "ws", "quic"),
-  // empty for stun/turn probes or when not connected.
-  string transport = 4;
 }

 message NSGroupState {
@@ -627,18 +622,11 @@ message GetEventsResponse {
 }

 message SwitchProfileRequest {
-  // profileName is treated as a handle: exact ID, unique ID prefix, or
-  // unique display name. The daemon resolves it server-side.
  optional string profileName = 1;
  optional string username = 2;
 }

-message SwitchProfileResponse {
-  // id is the resolved on-disk ID of the profile that became active.
-  // Lets CLI clients update their local active-profile state without
-  // duplicating the resolution logic.
-  string id = 1;
-}
+message SwitchProfileResponse {}

 message SetConfigRequest {
  string username = 1;
@@ -705,42 +693,17 @@ message SetConfigResponse{}

 message AddProfileRequest {
  string username = 1;
-  // profileName carries the human-readable display name for the new
-  // profile. The on-disk filename is a separately-generated ID.
  string profileName = 2;
 }

-message AddProfileResponse {
-  // id is the generated on-disk ID of the new profile. CLI clients
-  // display a truncated form, UI clients can ignore it.
-  string id = 1;
-}
-
-message RenameProfileRequest {
-  string username = 1;
-  // handle: an exact ID, a unique ID prefix, or a unique display name.
-  string handle = 2;
-  // newProfileName is the new human-readable display name for the profile.
-  string newProfileName = 3;
-}
-
-message RenameProfileResponse {
-  // confirm the old profile name after resolving handle.
-  string oldProfileName = 1;
-}
+message AddProfileResponse {}

 message RemoveProfileRequest {
  string username = 1;
-  // profileName is treated as a handle: an exact ID, a unique ID
-  // prefix, or a unique display name. Resolution happens server-side.
  string profileName = 2;
 }

-message RemoveProfileResponse {
-  // id is the full resolved ID of the removed profile, so callers can
-  // confirm exactly which profile a name/prefix handle resolved to.
-  string id = 1;
-}
+message RemoveProfileResponse {}

 message ListProfilesRequest {
  string username = 1;
@@ -753,7 +716,6 @@ message ListProfilesResponse {
 message Profile {
  string name = 1;
  bool is_active = 2;
-  string id = 3;
 }

 message GetActiveProfileRequest {}
@@ -761,7 +723,6 @@ message GetActiveProfileRequest {}
 message GetActiveProfileResponse {
  string profileName = 1;
  string username = 2;
-  string id = 3;
 }

 message LogoutRequest {
--- a/client/proto/daemon_grpc.pb.go
+++ b/client/proto/daemon_grpc.pb.go
@@ -45,7 +45,6 @@ const (
 	DaemonService_SwitchProfile_FullMethodName              = "/daemon.DaemonService/SwitchProfile"
 	DaemonService_SetConfig_FullMethodName                  = "/daemon.DaemonService/SetConfig"
 	DaemonService_AddProfile_FullMethodName                 = "/daemon.DaemonService/AddProfile"
-	DaemonService_RenameProfile_FullMethodName              = "/daemon.DaemonService/RenameProfile"
 	DaemonService_RemoveProfile_FullMethodName              = "/daemon.DaemonService/RemoveProfile"
 	DaemonService_ListProfiles_FullMethodName               = "/daemon.DaemonService/ListProfiles"
 	DaemonService_GetActiveProfile_FullMethodName           = "/daemon.DaemonService/GetActiveProfile"
@@ -113,7 +112,6 @@ type DaemonServiceClient interface {
 	SwitchProfile(ctx context.Context, in *SwitchProfileRequest, opts ...grpc.CallOption) (*SwitchProfileResponse, error)
 	SetConfig(ctx context.Context, in *SetConfigRequest, opts ...grpc.CallOption) (*SetConfigResponse, error)
 	AddProfile(ctx context.Context, in *AddProfileRequest, opts ...grpc.CallOption) (*AddProfileResponse, error)
-	RenameProfile(ctx context.Context, in *RenameProfileRequest, opts ...grpc.CallOption) (*RenameProfileResponse, error)
 	RemoveProfile(ctx context.Context, in *RemoveProfileRequest, opts ...grpc.CallOption) (*RemoveProfileResponse, error)
 	ListProfiles(ctx context.Context, in *ListProfilesRequest, opts ...grpc.CallOption) (*ListProfilesResponse, error)
 	GetActiveProfile(ctx context.Context, in *GetActiveProfileRequest, opts ...grpc.CallOption) (*GetActiveProfileResponse, error)
@@ -424,16 +422,6 @@ func (c *daemonServiceClient) AddProfile(ctx context.Context, in *AddProfileRequ
 	return out, nil
 }

-func (c *daemonServiceClient) RenameProfile(ctx context.Context, in *RenameProfileRequest, opts ...grpc.CallOption) (*RenameProfileResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(RenameProfileResponse)
-	err := c.cc.Invoke(ctx, DaemonService_RenameProfile_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *daemonServiceClient) RemoveProfile(ctx context.Context, in *RemoveProfileRequest, opts ...grpc.CallOption) (*RemoveProfileResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(RemoveProfileResponse)
@@ -625,7 +613,6 @@ type DaemonServiceServer interface {
 	SwitchProfile(context.Context, *SwitchProfileRequest) (*SwitchProfileResponse, error)
 	SetConfig(context.Context, *SetConfigRequest) (*SetConfigResponse, error)
 	AddProfile(context.Context, *AddProfileRequest) (*AddProfileResponse, error)
-	RenameProfile(context.Context, *RenameProfileRequest) (*RenameProfileResponse, error)
 	RemoveProfile(context.Context, *RemoveProfileRequest) (*RemoveProfileResponse, error)
 	ListProfiles(context.Context, *ListProfilesRequest) (*ListProfilesResponse, error)
 	GetActiveProfile(context.Context, *GetActiveProfileRequest) (*GetActiveProfileResponse, error)
@@ -736,9 +723,6 @@ func (UnimplementedDaemonServiceServer) SetConfig(context.Context, *SetConfigReq
 func (UnimplementedDaemonServiceServer) AddProfile(context.Context, *AddProfileRequest) (*AddProfileResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method AddProfile not implemented")
 }
-func (UnimplementedDaemonServiceServer) RenameProfile(context.Context, *RenameProfileRequest) (*RenameProfileResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "method RenameProfile not implemented")
-}
 func (UnimplementedDaemonServiceServer) RemoveProfile(context.Context, *RemoveProfileRequest) (*RemoveProfileResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method RemoveProfile not implemented")
 }
@@ -1253,24 +1237,6 @@ func _DaemonService_AddProfile_Handler(srv interface{}, ctx context.Context, dec
 	return interceptor(ctx, in, info, handler)
 }

-func _DaemonService_RenameProfile_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(RenameProfileRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(DaemonServiceServer).RenameProfile(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: DaemonService_RenameProfile_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DaemonServiceServer).RenameProfile(ctx, req.(*RenameProfileRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 func _DaemonService_RemoveProfile_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(RemoveProfileRequest)
 	if err := dec(in); err != nil {
@@ -1601,10 +1567,6 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "AddProfile",
 			Handler:    _DaemonService_AddProfile_Handler,
 		},
-		{
-			MethodName: "RenameProfile",
-			Handler:    _DaemonService_RenameProfile_Handler,
-		},
 		{
 			MethodName: "RemoveProfile",
 			Handler:    _DaemonService_RemoveProfile_Handler,
--- a/client/server/login_overrides_test.go
+++ b/client/server/login_overrides_test.go
@@ -79,7 +79,7 @@ func TestPersistLoginOverrides(t *testing.T) {
 			_, err := profilemanager.UpdateOrCreateConfig(seed)
 			require.NoError(t, err, "seed config")

-			activeProf := &profilemanager.ActiveProfileState{ID: "default"}
+			activeProf := &profilemanager.ActiveProfileState{Name: "default"}
 			err = persistLoginOverrides(activeProf, tt.newMgmtURL, tt.newPSK)
 			require.NoError(t, err, "persistLoginOverrides")

--- a/client/server/server.go
+++ b/client/server/server.go
@@ -78,7 +78,7 @@ type Server struct {
 	// changed by connectWithRetryRuns goroutine exit — for that
 	// (goroutine-still-alive) check, see connectionGoroutineRunning() which
 	// derives from clientGiveUpChan close state. Protected by s.mutex.
-	clientRunning     bool
+	clientRunning          bool
 	clientRunningChan chan struct{}
 	clientGiveUpChan  chan struct{} // closed when connectWithRetryRuns goroutine exits

@@ -375,7 +375,7 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 		return nil, err
 	}

-	config, err := s.setConfigInputFromRequest(msg)
+	config, err := setConfigInputFromRequest(msg)
 	if err != nil {
 		return nil, err
 	}
@@ -398,17 +398,17 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 // field is its own optional case. Returns the resolved ConfigInput
 // and a non-nil error only when the active profile file path cannot
 // be determined.
-func (s *Server) setConfigInputFromRequest(msg *proto.SetConfigRequest) (profilemanager.ConfigInput, error) {
+func setConfigInputFromRequest(msg *proto.SetConfigRequest) (profilemanager.ConfigInput, error) {
 	var config profilemanager.ConfigInput

-	resolved, err := s.resolveProfileHandle(msg.ProfileName, msg.Username)
-	if err != nil {
-		log.Errorf("failed to resolve profile %q: %v", msg.ProfileName, err)
-		return config, err
+	profState := profilemanager.ActiveProfileState{
+		Name:     msg.ProfileName,
+		Username: msg.Username,
 	}
-	profPath := resolved.Path
-	if profPath == "" {
-		profPath = profilemanager.DefaultConfigPath
+	profPath, err := profState.FilePath()
+	if err != nil {
+		log.Errorf("failed to get active profile file path: %v", err)
+		return config, fmt.Errorf("failed to get active profile file path: %w", err)
 	}
 	config.ConfigPath = profPath

@@ -535,9 +535,30 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 	}

 	if msg.ProfileName != nil {
-		if _, err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
-			log.Errorf("failed to switch profile: %v", err)
-			return nil, err
+		if *msg.ProfileName != "default" && (msg.Username == nil || *msg.Username == "") {
+			log.Errorf("profile name is set to %s, but username is not provided", *msg.ProfileName)
+			return nil, fmt.Errorf("profile name is set to %s, but username is not provided", *msg.ProfileName)
+		}
+
+		var username string
+		if *msg.ProfileName != "default" {
+			username = *msg.Username
+		}
+
+		if *msg.ProfileName != activeProf.Name && username != activeProf.Username {
+			if s.checkProfilesDisabled() {
+				log.Errorf("profiles are disabled, you cannot use this feature without profiles enabled")
+				return nil, gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
+			}
+
+			log.Infof("switching to profile %s for user '%s'", *msg.ProfileName, username)
+			if err := s.profileManager.SetActiveProfileState(&profilemanager.ActiveProfileState{
+				Name:     *msg.ProfileName,
+				Username: username,
+			}); err != nil {
+				log.Errorf("failed to set active profile state: %v", err)
+				return nil, fmt.Errorf("failed to set active profile state: %w", err)
+			}
 		}
 	}

@@ -547,7 +568,7 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 		return nil, fmt.Errorf("failed to get active profile state: %w", err)
 	}

-	log.Infof("active profile: %s for %s", activeProf.ID, activeProf.Username)
+	log.Infof("active profile: %s for %s", activeProf.Name, activeProf.Username)

 	s.mutex.Lock()

@@ -785,10 +806,10 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 	}

 	if msg != nil && msg.ProfileName != nil {
-		if _, err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
+		if err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
 			s.mutex.Unlock()
 			log.Errorf("failed to switch profile: %v", err)
-			return nil, err
+			return nil, fmt.Errorf("failed to switch profile: %w", err)
 		}
 	}

@@ -799,7 +820,7 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 		return nil, fmt.Errorf("failed to get active profile state: %w", err)
 	}

-	log.Infof("active profile: %s for %s", activeProf.ID, activeProf.Username)
+	log.Infof("active profile: %s for %s", activeProf.Name, activeProf.Username)

 	config, _, err := s.getConfig(activeProf)
 	if err != nil {
@@ -843,60 +864,34 @@ func (s *Server) waitForUp(callerCtx context.Context) (*proto.UpResponse, error)
 	}
 }

-// resolveProfileHandle resolves a wire-level profile handle (display
-// name, ID, or unique ID prefix) to a concrete profile. Returns gRPC
-// status errors so handlers can return them directly.
-func (s *Server) resolveProfileHandle(handle, username string) (*profilemanager.Profile, error) {
-	p, err := s.profileManager.ResolveProfile(handle, username)
-	if err == nil {
-		return p, nil
-	}
-	var amb *profilemanager.ErrAmbiguousHandle
-	if errors.As(err, &amb) {
-		return nil, gstatus.Errorf(codes.InvalidArgument, "%v", amb)
-	}
-	if errors.Is(err, profilemanager.ErrProfileNotFound) {
-		return nil, gstatus.Errorf(codes.NotFound, "profile %q not found", handle)
-	}
-	return nil, fmt.Errorf("resolve profile: %w", err)
-}
-
-// switchProfileIfNeeded resolves the user-supplied handle, updates the
-// active profile state if it differs from the current one, and returns
-// the resolved profile so callers can include its ID in RPC responses.
-func (s *Server) switchProfileIfNeeded(handle string, userName *string, activeProf *profilemanager.ActiveProfileState) (*profilemanager.Profile, error) {
-	if handle != profilemanager.DefaultProfileName && (userName == nil || *userName == "") {
-		log.Errorf("profile name is set to %s, but username is not provided", handle)
-		return nil, fmt.Errorf("profile name is set to %s, but username is not provided", handle)
+func (s *Server) switchProfileIfNeeded(profileName string, userName *string, activeProf *profilemanager.ActiveProfileState) error {
+	if profileName != "default" && (userName == nil || *userName == "") {
+		log.Errorf("profile name is set to %s, but username is not provided", profileName)
+		return fmt.Errorf("profile name is set to %s, but username is not provided", profileName)
 	}

 	var username string
-	if handle != profilemanager.DefaultProfileName {
+	if profileName != "default" {
 		username = *userName
 	}

-	resolved, err := s.resolveProfileHandle(handle, username)
-	if err != nil {
-		return nil, err
-	}
-
-	if resolved.ID != activeProf.ID || username != activeProf.Username {
+	if profileName != activeProf.Name || username != activeProf.Username {
 		if s.checkProfilesDisabled() {
 			log.Errorf("profiles are disabled, you cannot use this feature without profiles enabled")
-			return nil, gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
+			return gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
 		}

-		log.Infof("switching to profile %s (%s) for user %s", resolved.Name, resolved.ID, username)
+		log.Infof("switching to profile %s for user %s", profileName, username)
 		if err := s.profileManager.SetActiveProfileState(&profilemanager.ActiveProfileState{
-			ID:       resolved.ID,
+			Name:     profileName,
 			Username: username,
 		}); err != nil {
 			log.Errorf("failed to set active profile state: %v", err)
-			return nil, fmt.Errorf("failed to set active profile state: %w", err)
+			return fmt.Errorf("failed to set active profile state: %w", err)
 		}
 	}

-	return resolved, nil
+	return nil
 }

 // SwitchProfile switches the active profile in the daemon.
@@ -911,9 +906,9 @@ func (s *Server) SwitchProfile(callerCtx context.Context, msg *proto.SwitchProfi
 	}

 	if msg != nil && msg.ProfileName != nil {
-		if _, err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
+		if err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
 			log.Errorf("failed to switch profile: %v", err)
-			return nil, err
+			return nil, fmt.Errorf("failed to switch profile: %w", err)
 		}
 	}
 	activeProf, err = s.profileManager.GetActiveProfileState()
@@ -929,7 +924,7 @@ func (s *Server) SwitchProfile(callerCtx context.Context, msg *proto.SwitchProfi

 	s.config = config

-	return &proto.SwitchProfileResponse{Id: activeProf.ID.String()}, nil
+	return &proto.SwitchProfileResponse{}, nil
 }

 // Down engine work in the daemon.
@@ -993,10 +988,6 @@ func (s *Server) cleanupConnection() error {
 		return nil
 	}

-	// TODO: consider calling s.connectClient.Stop() instead of engine.Stop().
-	// actCancel() lets the run loop stop the engine too, so both stop it
-	// concurrently; ConnectClient.Stop cancels and waits for the run loop,
-	// making the run loop the sole owner of engine shutdown.
 	if engine != nil {
 		if err := engine.Stop(); err != nil {
 			return err
@@ -1023,27 +1014,22 @@ func (s *Server) Logout(ctx context.Context, msg *proto.LogoutRequest) (*proto.L
 }

 func (s *Server) handleProfileLogout(ctx context.Context, msg *proto.LogoutRequest) (*proto.LogoutResponse, error) {
+	if err := s.validateProfileOperation(*msg.ProfileName, true); err != nil {
+		return nil, err
+	}
+
 	if msg.Username == nil || *msg.Username == "" {
 		return nil, gstatus.Errorf(codes.InvalidArgument, "username must be provided when profile name is specified")
 	}
 	username := *msg.Username

-	resolved, err := s.resolveProfileHandle(*msg.ProfileName, username)
-	if err != nil {
-		return nil, err
-	}
-
-	if err := s.validateProfileOperation(resolved.ID, true); err != nil {
-		return nil, err
-	}
-
-	if err := s.logoutFromProfile(ctx, resolved); err != nil {
-		log.Errorf("failed to logout from profile %s: %v", resolved.ID, err)
+	if err := s.logoutFromProfile(ctx, *msg.ProfileName, username); err != nil {
+		log.Errorf("failed to logout from profile %s: %v", *msg.ProfileName, err)
 		return nil, gstatus.Errorf(codes.Internal, "logout: %v", err)
 	}

 	activeProf, _ := s.profileManager.GetActiveProfileState()
-	if activeProf != nil && activeProf.ID == resolved.ID {
+	if activeProf != nil && activeProf.Name == *msg.ProfileName {
 		if err := s.cleanupConnection(); err != nil && !errors.Is(err, ErrServiceNotUp) {
 			log.Errorf("failed to cleanup connection: %v", err)
 		}
@@ -1105,30 +1091,30 @@ func (s *Server) getConfig(activeProf *profilemanager.ActiveProfileState) (*prof
 	return config, configExisted, nil
 }

-func (s *Server) canRemoveProfile(id profilemanager.ID) error {
-	if id == profilemanager.DefaultProfileName {
+func (s *Server) canRemoveProfile(profileName string) error {
+	if profileName == profilemanager.DefaultProfileName {
 		return fmt.Errorf("remove profile with reserved name: %s", profilemanager.DefaultProfileName)
 	}

 	activeProf, err := s.profileManager.GetActiveProfileState()
-	if err == nil && activeProf.ID == id {
-		return fmt.Errorf("remove active profile: %s", id)
+	if err == nil && activeProf.Name == profileName {
+		return fmt.Errorf("remove active profile: %s", profileName)
 	}

 	return nil
 }

-func (s *Server) validateProfileOperation(id profilemanager.ID, allowActiveProfile bool) error {
+func (s *Server) validateProfileOperation(profileName string, allowActiveProfile bool) error {
 	if s.checkProfilesDisabled() {
 		return gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
 	}

-	if id == "" {
+	if profileName == "" {
 		return gstatus.Errorf(codes.InvalidArgument, "profile name must be provided")
 	}

 	if !allowActiveProfile {
-		if err := s.canRemoveProfile(id); err != nil {
+		if err := s.canRemoveProfile(profileName); err != nil {
 			return gstatus.Errorf(codes.InvalidArgument, "%v", err)
 		}
 	}
@@ -1136,20 +1122,25 @@ func (s *Server) validateProfileOperation(id profilemanager.ID, allowActiveProfi
 	return nil
 }

-func (s *Server) logoutFromProfile(ctx context.Context, profile *profilemanager.Profile) error {
+// logoutFromProfile logs out from a specific profile by loading its config and sending logout request
+func (s *Server) logoutFromProfile(ctx context.Context, profileName, username string) error {
 	activeProf, err := s.profileManager.GetActiveProfileState()
-	if err == nil && activeProf.ID == profile.ID && s.connectClient != nil {
+	if err == nil && activeProf.Name == profileName && s.connectClient != nil {
 		return s.sendLogoutRequest(ctx)
 	}

-	cfgPath := profile.Path
-	if cfgPath == "" {
-		cfgPath = profilemanager.DefaultConfigPath
+	profileState := &profilemanager.ActiveProfileState{
+		Name:     profileName,
+		Username: username,
+	}
+	profilePath, err := profileState.FilePath()
+	if err != nil {
+		return fmt.Errorf("get profile path: %w", err)
 	}

-	config, err := profilemanager.GetConfig(cfgPath)
+	config, err := profilemanager.GetConfig(profilePath)
 	if err != nil {
-		return fmt.Errorf("profile '%s' not found", profile.ID)
+		return fmt.Errorf("profile '%s' not found", profileName)
 	}

 	return s.sendLogoutRequestWithConfig(ctx, config)
@@ -1567,14 +1558,15 @@ func (s *Server) GetConfig(ctx context.Context, req *proto.GetConfigRequest) (*p
 		return nil, ctx.Err()
 	}

-	resolved, err := s.resolveProfileHandle(req.ProfileName, req.Username)
-	if err != nil {
-		log.Errorf("failed to resolve profile %q: %v", req.ProfileName, err)
-		return nil, err
+	prof := profilemanager.ActiveProfileState{
+		Name:     req.ProfileName,
+		Username: req.Username,
 	}
-	cfgPath := resolved.Path
-	if cfgPath == "" {
-		cfgPath = profilemanager.DefaultConfigPath
+
+	cfgPath, err := prof.FilePath()
+	if err != nil {
+		log.Errorf("failed to get active profile file path: %v", err)
+		return nil, fmt.Errorf("failed to get active profile file path: %w", err)
 	}

 	cfg, err := profilemanager.GetConfig(cfgPath)
@@ -1679,39 +1671,12 @@ func (s *Server) AddProfile(ctx context.Context, msg *proto.AddProfileRequest) (
 		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name and username must be provided")
 	}

-	created, err := s.profileManager.AddProfile(msg.ProfileName, msg.Username)
-	if err != nil {
+	if err := s.profileManager.AddProfile(msg.ProfileName, msg.Username); err != nil {
 		log.Errorf("failed to create profile: %v", err)
 		return nil, fmt.Errorf("failed to create profile: %w", err)
 	}

-	return &proto.AddProfileResponse{Id: created.ID.String()}, nil
-}
-
-func (s *Server) RenameProfile(ctx context.Context, msg *proto.RenameProfileRequest) (*proto.RenameProfileResponse, error) {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	if s.checkProfilesDisabled() {
-		return nil, gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
-	}
-
-	if msg.Handle == "" || msg.Username == "" || msg.NewProfileName == "" {
-		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name, username and new profile name must be provided")
-	}
-
-	resolved, err := s.resolveProfileHandle(msg.Handle, msg.Username)
-	if err != nil {
-		return nil, err
-	}
-
-	err = s.profileManager.RenameProfile(resolved.ID, msg.Username, msg.NewProfileName)
-	if err != nil {
-		log.Errorf("failed to rename profile: %v", err)
-		return nil, fmt.Errorf("failed to rename profile: %w", err)
-	}
-
-	return &proto.RenameProfileResponse{OldProfileName: resolved.Name}, nil
+	return &proto.AddProfileResponse{}, nil
 }

 // RemoveProfile removes a profile from the daemon.
@@ -1719,29 +1684,20 @@ func (s *Server) RemoveProfile(ctx context.Context, msg *proto.RemoveProfileRequ
 	s.mutex.Lock()
 	defer s.mutex.Unlock()

-	if s.checkProfilesDisabled() {
-		return nil, gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
-	}
-
-	if msg.ProfileName == "" {
-		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name must be provided")
-	}
-
-	resolved, err := s.resolveProfileHandle(msg.ProfileName, msg.Username)
-	if err != nil {
+	if err := s.validateProfileOperation(msg.ProfileName, false); err != nil {
 		return nil, err
 	}

-	if err := s.logoutFromProfile(ctx, resolved); err != nil {
-		log.Warnf("failed to logout from profile %s before removal: %v", resolved.ID, err)
+	if err := s.logoutFromProfile(ctx, msg.ProfileName, msg.Username); err != nil {
+		log.Warnf("failed to logout from profile %s before removal: %v", msg.ProfileName, err)
 	}

-	if err := s.profileManager.RemoveProfile(resolved.ID, msg.Username); err != nil {
+	if err := s.profileManager.RemoveProfile(msg.ProfileName, msg.Username); err != nil {
 		log.Errorf("failed to remove profile: %v", err)
 		return nil, fmt.Errorf("failed to remove profile: %w", err)
 	}

-	return &proto.RemoveProfileResponse{Id: resolved.ID.String()}, nil
+	return &proto.RemoveProfileResponse{}, nil
 }

 // ListProfiles lists all profiles in the daemon.
@@ -1764,7 +1720,6 @@ func (s *Server) ListProfiles(ctx context.Context, msg *proto.ListProfilesReques
 	}
 	for i, profile := range profiles {
 		response.Profiles[i] = &proto.Profile{
-			Id:       profile.ID.String(),
 			Name:     profile.Name,
 			IsActive: profile.IsActive,
 		}
@@ -1773,9 +1728,7 @@ func (s *Server) ListProfiles(ctx context.Context, msg *proto.ListProfilesReques
 	return response, nil
 }

-// GetActiveProfile returns the active profile in the daemon. The ProfileName
-// field carries the display name for backwards compatibility with UI clients,
-// new callers should prefer Id.
+// GetActiveProfile returns the active profile in the daemon.
 func (s *Server) GetActiveProfile(ctx context.Context, msg *proto.GetActiveProfileRequest) (*proto.GetActiveProfileResponse, error) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
@@ -1786,23 +1739,9 @@ func (s *Server) GetActiveProfile(ctx context.Context, msg *proto.GetActiveProfi
 		return nil, fmt.Errorf("failed to get active profile state: %w", err)
 	}

-	// Fallback to legacy name == ID
-	displayName := activeProfile.ID.String()
-	if activeProfile.ID != profilemanager.DefaultProfileName {
-		if profiles, lerr := s.profileManager.ListProfiles(activeProfile.Username); lerr == nil {
-			for _, p := range profiles {
-				if p.ID == activeProfile.ID {
-					displayName = p.Name
-					break
-				}
-			}
-		}
-	}
-
 	return &proto.GetActiveProfileResponse{
-		ProfileName: displayName,
+		ProfileName: activeProfile.Name,
 		Username:    activeProfile.Username,
-		Id:          activeProfile.ID.String(),
 	}, nil
 }

--- a/client/server/server_test.go
+++ b/client/server/server_test.go
@@ -97,7 +97,7 @@ func TestConnectWithRetryRuns(t *testing.T) {

 	pm := profilemanager.ServiceManager{}
 	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		ID:       "test-profile",
+		Name:     "test-profile",
 		Username: currUser.Username,
 	})
 	if err != nil {
@@ -158,7 +158,7 @@ func TestServer_Up(t *testing.T) {

 	pm := profilemanager.ServiceManager{}
 	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		ID:       profilemanager.ID(profName),
+		Name:     profName,
 		Username: currUser.Username,
 	})
 	if err != nil {
@@ -228,7 +228,7 @@ func TestServer_SubcribeEvents(t *testing.T) {

 	pm := profilemanager.ServiceManager{}
 	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		ID:       "default",
+		Name:     "default",
 		Username: currUser.Username,
 	})
 	if err != nil {
--- a/client/server/setconfig_mdm_test.go
+++ b/client/server/setconfig_mdm_test.go
@@ -62,7 +62,7 @@ func setupServerWithProfile(t *testing.T) (s *Server, ctx context.Context, profN

 	pm := profilemanager.ServiceManager{}
 	require.NoError(t, pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		ID:       profilemanager.ID(profName),
+		Name:     profName,
 		Username: currUser.Username,
 	}))

@@ -107,9 +107,9 @@ func TestSetConfig_MDMReject_SingleField(t *testing.T) {

 func TestSetConfig_MDMReject_MultipleFields(t *testing.T) {
 	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
-		mdm.KeyManagementURL:    "https://mdm.example.com:443",
-		mdm.KeyBlockInbound:     true,
-		mdm.KeyRosenpassEnabled: true,
+		mdm.KeyManagementURL:     "https://mdm.example.com:443",
+		mdm.KeyBlockInbound:      true,
+		mdm.KeyRosenpassEnabled:  true,
 	}))

 	s, ctx, profName, username, _ := setupServerWithProfile(t)
--- a/client/server/setconfig_test.go
+++ b/client/server/setconfig_test.go
@@ -47,7 +47,7 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {

 	pm := profilemanager.ServiceManager{}
 	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		ID:       profilemanager.ID(profName),
+		Name:     profName,
 		Username: currUser.Username,
 	})
 	require.NoError(t, err)
@@ -96,7 +96,7 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 		DisableNotifications:  &disableNotifications,
 		LazyConnectionEnabled: &lazyConnectionEnabled,
 		BlockInbound:          &blockInbound,
-		DisableIpv6:           &disableIPv6,
+		DisableIpv6:          &disableIPv6,
 		NatExternalIPs:        []string{"1.2.3.4", "5.6.7.8"},
 		CleanNATExternalIPs:   false,
 		CustomDNSAddress:      []byte("1.1.1.1:53"),
@@ -112,7 +112,7 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 	require.NoError(t, err)

 	profState := profilemanager.ActiveProfileState{
-		ID:       profilemanager.ID(profName),
+		Name:     profName,
 		Username: currUser.Username,
 	}
 	cfgPath, err := profState.FilePath()
--- a/client/status/status.go
+++ b/client/status/status.go
@@ -98,7 +98,6 @@ type RelayStateOutputDetail struct {
 	URI       string `json:"uri" yaml:"uri"`
 	Available bool   `json:"available" yaml:"available"`
 	Error     string `json:"error" yaml:"error"`
-	Transport string `json:"transport,omitempty" yaml:"transport,omitempty"`
 }

 type RelayStateOutput struct {
@@ -220,8 +219,7 @@ func mapRelays(relays []*proto.RelayState) RelayStateOutput {
 			RelayStateOutputDetail{
 				URI:       relay.URI,
 				Available: available,
-				Error:     relayErrorString(relay.GetError()),
-				Transport: relay.GetTransport(),
+				Error:     relay.GetError(),
 			},
 		)

@@ -237,12 +235,6 @@ func mapRelays(relays []*proto.RelayState) RelayStateOutput {
 	}
 }

-// relayErrorString flattens a newline-joined aggregated relay error onto a
-// single line for status output.
-func relayErrorString(s string) string {
-	return strings.ReplaceAll(s, "\n", "; ")
-}
-
 func mapNSGroups(servers []*proto.NSGroupState) []NsServerGroupStateOutput {
 	mappedNSGroups := make([]NsServerGroupStateOutput, 0, len(servers))
 	for _, pbNsGroupServer := range servers {
@@ -449,8 +441,6 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 					available = "Unavailable"
 					reason = fmt.Sprintf(", reason: %s", relay.Error)
 				}
-			} else if relay.Transport != "" {
-				available = fmt.Sprintf("%s via %s", available, relay.Transport)
 			}

 			relaysString += fmt.Sprintf("\n  [%s] is %s%s", relay.URI, available, reason)
--- a/client/status/status_test.go
+++ b/client/status/status_test.go
@@ -647,13 +647,3 @@ func TestTimeAgo(t *testing.T) {
 		})
 	}
 }
-
-func TestMapRelaysTransport(t *testing.T) {
-	out := mapRelays([]*proto.RelayState{
-		{URI: "rels://relay.example:443", Available: true, Transport: "quic"},
-		{URI: "rels://relay2.example:443", Available: true, Transport: "ws"},
-	})
-	require.Len(t, out.Details, 2)
-	assert.Equal(t, "quic", out.Details[0].Transport)
-	assert.Equal(t, "ws", out.Details[1].Transport)
-}
--- a/client/ui/client_ui.go
+++ b/client/ui/client_ui.go
@@ -645,7 +645,7 @@ func (s *serviceClient) buildSetConfigRequest(iMngURL string, port, mtu int64) (
 	}

 	req := &proto.SetConfigRequest{
-		ProfileName: activeProf.ID.String(),
+		ProfileName: activeProf.Name,
 		Username:    currUser.Username,
 	}

@@ -818,15 +818,13 @@ func (s *serviceClient) login(ctx context.Context, openURL bool) (*proto.LoginRe
 		return nil, fmt.Errorf("get current user: %w", err)
 	}

-	handle := activeProf.ID.String()
-
 	loginReq := &proto.LoginRequest{
 		IsUnixDesktopClient: runtime.GOOS == "linux" || runtime.GOOS == "freebsd",
-		ProfileName:         &handle,
+		ProfileName:         &activeProf.Name,
 		Username:            &currUser.Username,
 	}

-	profileState, err := s.profileManager.GetProfileState(activeProf.ID)
+	profileState, err := s.profileManager.GetProfileState(activeProf.Name)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
@@ -1369,7 +1367,7 @@ func (s *serviceClient) getSrvConfig() {
 	}

 	srvCfg, err := conn.GetConfig(s.ctx, &proto.GetConfigRequest{
-		ProfileName: activeProf.ID.String(),
+		ProfileName: activeProf.Name,
 		Username:    currUser.Username,
 	})
 	if err != nil {
@@ -1615,7 +1613,7 @@ func (s *serviceClient) loadSettings() {
 	}

 	cfg, err := conn.GetConfig(s.ctx, &proto.GetConfigRequest{
-		ProfileName: activeProf.ID.String(),
+		ProfileName: activeProf.Name,
 		Username:    currUser.Username,
 	})
 	if err != nil {
@@ -1815,7 +1813,7 @@ func (s *serviceClient) updateConfig() error {
 	}

 	req := proto.SetConfigRequest{
-		ProfileName:           activeProf.ID.String(),
+		ProfileName:           activeProf.Name,
 		Username:              currUser.Username,
 		DisableAutoConnect:    &disableAutoStart,
 		ServerSSHAllowed:      &sshAllowed,
--- a/client/ui/profile.go
+++ b/client/ui/profile.go
@@ -66,7 +66,7 @@ func (s *serviceClient) showProfilesUI() {
 			} else {
 				indicator.SetText("")
 			}
-			nameLabel.SetText(formatProfileLabel(profile, profiles))
+			nameLabel.SetText(profile.Name)

 			// Configure Select/Active button
 			selectBtn.SetText(func() string {
@@ -88,7 +88,7 @@ func (s *serviceClient) showProfilesUI() {
 							return
 						}
 						// switch
-						err = s.switchProfile(profile.ID)
+						err = s.switchProfile(profile.Name)
 						if err != nil {
 							log.Errorf("failed to switch profile: %v", err)
 							dialog.ShowError(errors.New("failed to select profile"), s.wProfiles)
@@ -130,7 +130,7 @@ func (s *serviceClient) showProfilesUI() {
 			logoutBtn.Show()
 			logoutBtn.SetText("Deregister")
 			logoutBtn.OnTapped = func() {
-				s.handleProfileLogout(profile, refresh)
+				s.handleProfileLogout(profile.Name, refresh)
 			}

 			// Remove profile
@@ -144,7 +144,7 @@ func (s *serviceClient) showProfilesUI() {
 							return
 						}

-						err = s.removeProfile(profile.ID)
+						err = s.removeProfile(profile.Name)
 						if err != nil {
 							log.Errorf("failed to remove profile: %v", err)
 							dialog.ShowError(fmt.Errorf("failed to remove profile"), s.wProfiles)
@@ -250,7 +250,7 @@ func (s *serviceClient) addProfile(profileName string) error {
 	return nil
 }

-func (s *serviceClient) switchProfile(handle string) error {
+func (s *serviceClient) switchProfile(profileName string) error {
 	conn, err := s.getSrvClient(defaultFailTimeout)
 	if err != nil {
 		return fmt.Errorf(getClientFMT, err)
@@ -261,15 +261,15 @@ func (s *serviceClient) switchProfile(handle string) error {
 		return fmt.Errorf("get current user: %w", err)
 	}

-	resp, err := conn.SwitchProfile(s.ctx, &proto.SwitchProfileRequest{
-		ProfileName: &handle,
+	if _, err := conn.SwitchProfile(s.ctx, &proto.SwitchProfileRequest{
+		ProfileName: &profileName,
 		Username:    &currUser.Username,
-	})
-	if err != nil {
+	}); err != nil {
 		return fmt.Errorf("switch profile failed: %w", err)
 	}

-	if err := s.profileManager.SwitchProfile(profilemanager.ID(resp.Id)); err != nil {
+	err = s.profileManager.SwitchProfile(profileName)
+	if err != nil {
 		return fmt.Errorf("switch profile: %w", err)
 	}

@@ -299,27 +299,10 @@ func (s *serviceClient) removeProfile(profileName string) error {
 }

 type Profile struct {
-	ID       string
 	Name     string
 	IsActive bool
 }

-// formatProfileLabel returns the display label for a profile. Profiles can
-// share the same Name, so when more than one profile in profiles carries this
-// Name, a short form of the ID is appended to disambiguate the entries.
-func formatProfileLabel(profile Profile, profiles []Profile) string {
-	count := 0
-	for _, p := range profiles {
-		if p.Name == profile.Name {
-			count++
-		}
-	}
-	if count <= 1 {
-		return profile.Name
-	}
-	return fmt.Sprintf("%s (%s)", profile.Name, profilemanager.ID(profile.ID).ShortID())
-}
-
 func (s *serviceClient) getProfiles() ([]Profile, error) {
 	conn, err := s.getSrvClient(defaultFailTimeout)
 	if err != nil {
@@ -341,7 +324,6 @@ func (s *serviceClient) getProfiles() ([]Profile, error) {

 	for _, profile := range profilesResp.Profiles {
 		profiles = append(profiles, Profile{
-			ID:       profile.Id,
 			Name:     profile.Name,
 			IsActive: profile.IsActive,
 		})
@@ -350,10 +332,10 @@ func (s *serviceClient) getProfiles() ([]Profile, error) {
 	return profiles, nil
 }

-func (s *serviceClient) handleProfileLogout(profile Profile, refreshCallback func()) {
+func (s *serviceClient) handleProfileLogout(profileName string, refreshCallback func()) {
 	dialog.ShowConfirm(
 		"Deregister",
-		fmt.Sprintf("Are you sure you want to deregister from '%s'?", profile.Name),
+		fmt.Sprintf("Are you sure you want to deregister from '%s'?", profileName),
 		func(confirm bool) {
 			if !confirm {
 				return
@@ -374,10 +356,8 @@ func (s *serviceClient) handleProfileLogout(profile Profile, refreshCallback fun
 			}

 			username := currUser.Username
-			// ProfileName is treated as a handle; send the ID so the
-			// daemon resolves to exactly this profile.
 			_, err = conn.Logout(s.ctx, &proto.LogoutRequest{
-				ProfileName: &profile.ID,
+				ProfileName: &profileName,
 				Username:    &username,
 			})
 			if err != nil {
@@ -388,7 +368,7 @@ func (s *serviceClient) handleProfileLogout(profile Profile, refreshCallback fun

 			dialog.ShowInformation(
 				"Deregistered",
-				fmt.Sprintf("Successfully deregistered from '%s'", profile.Name),
+				fmt.Sprintf("Successfully deregistered from '%s'", profileName),
 				s.wProfiles,
 			)

@@ -481,7 +461,6 @@ func (p *profileMenu) getProfiles() ([]Profile, error) {

 	for _, profile := range profilesResp.Profiles {
 		profiles = append(profiles, Profile{
-			ID:       profile.Id,
 			Name:     profile.Name,
 			IsActive: profile.IsActive,
 		})
@@ -522,7 +501,7 @@ func (p *profileMenu) refresh() {
 	}

 	if activeProf.ProfileName == "default" || activeProf.Username == currUser.Username {
-		activeProfState, err := p.profileManager.GetProfileState(profilemanager.ID(activeProf.Id))
+		activeProfState, err := p.profileManager.GetProfileState(activeProf.ProfileName)
 		if err != nil {
 			log.Warnf("failed to get active profile state: %v", err)
 			p.emailMenuItem.Hide()
@@ -533,7 +512,7 @@ func (p *profileMenu) refresh() {
 	}

 	for _, profile := range profiles {
-		item := p.profileMenuItem.AddSubMenuItem(formatProfileLabel(profile, profiles), "")
+		item := p.profileMenuItem.AddSubMenuItem(profile.Name, "")
 		if profile.IsActive {
 			item.Check()
 		}
@@ -562,8 +541,8 @@ func (p *profileMenu) refresh() {
 						return
 					}

-					switchResp, err := conn.SwitchProfile(ctx, &proto.SwitchProfileRequest{
-						ProfileName: &profile.ID,
+					_, err = conn.SwitchProfile(ctx, &proto.SwitchProfileRequest{
+						ProfileName: &profile.Name,
 						Username:    &currUser.Username,
 					})
 					if err != nil {
@@ -573,7 +552,7 @@ func (p *profileMenu) refresh() {
 						return
 					}

-					err = p.profileManager.SwitchProfile(profilemanager.ID(switchResp.Id))
+					err = p.profileManager.SwitchProfile(profile.Name)
 					if err != nil {
 						log.Errorf("failed to switch profile '%s': %v", profile.Name, err)
 						return
@@ -748,10 +727,7 @@ func (p *profileMenu) updateMenu() {
 			}

 			sort.Slice(profiles, func(i, j int) bool {
-				if profiles[i].Name != profiles[j].Name {
-					return profiles[i].Name < profiles[j].Name
-				}
-				return profiles[i].ID < profiles[j].ID
+				return profiles[i].Name < profiles[j].Name
 			})

 			p.mu.Lock()
--- a/combined/Dockerfile
+++ b/combined/Dockerfile
@@ -2,5 +2,4 @@ FROM ubuntu:24.04
 RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
 ENTRYPOINT [ "/go/bin/netbird-server" ]
 CMD ["--config", "/etc/netbird/config.yaml"]
-ARG TARGETPLATFORM
-COPY ${TARGETPLATFORM}/netbird-server /go/bin/netbird-server
+COPY netbird-server /go/bin/netbird-server
--- a/infrastructure_files/getting-started-enterprise.sh
+++ b/infrastructure_files/getting-started-enterprise.sh
@@ -1,616 +0,0 @@
-#!/bin/bash
-
-set -e
-set -o pipefail
-
-# NetBird Enterprise — Getting Started
-# Single-node bootstrap for a self-hosted NetBird Enterprise stack with the
-# embedded identity provider. Owner is created via first-login flow.
-
-SED_STRIP_PADDING='s/=//g'
-
-check_docker_compose() {
-  if command -v docker-compose &> /dev/null; then
-    echo "docker-compose"
-    return
-  fi
-  if docker compose --help &> /dev/null; then
-    echo "docker compose"
-    return
-  fi
-  echo "docker-compose is not installed or not in PATH. See https://docs.docker.com/engine/install/" > /dev/stderr
-  exit 1
-}
-
-check_openssl() {
-  if ! command -v openssl &> /dev/null; then
-    echo "openssl is not installed or not in PATH." > /dev/stderr
-    exit 1
-  fi
-}
-
-rand_secret() {
-  openssl rand -base64 32 | sed "$SED_STRIP_PADDING"
-}
-
-rand_b64_key() {
-  openssl rand -base64 32
-}
-
-check_nb_domain() {
-  local domain="$1"
-  if [[ -z "$domain" ]]; then
-    echo "The domain cannot be empty." > /dev/stderr
-    return 1
-  fi
-  if [[ "$domain" == "netbird.example.com" ]]; then
-    echo "The domain cannot be netbird.example.com" > /dev/stderr
-    return 1
-  fi
-  if [[ "$domain" =~ ^[0-9.]+$ ]]; then
-    echo "An IP address is not allowed. A real DNS-resolvable domain is required for TLS and the embedded IdP issuer." > /dev/stderr
-    return 1
-  fi
-  if [[ ! "$domain" =~ ^[A-Za-z0-9]([A-Za-z0-9-]*[A-Za-z0-9])?(\.[A-Za-z0-9]([A-Za-z0-9-]*[A-Za-z0-9])?)+$ ]]; then
-    echo "The value '$domain' is not a valid FQDN. A real DNS-resolvable domain is required for TLS and the embedded IdP issuer." > /dev/stderr
-    return 1
-  fi
-  return 0
-}
-
-check_domain_resolves() {
-  local domain="$1"
-  if command -v getent &> /dev/null && getent hosts "$domain" &> /dev/null; then return 0; fi
-  if command -v host &> /dev/null && host "$domain" &> /dev/null; then return 0; fi
-  if command -v dig &> /dev/null && [[ -n "$(dig +short "$domain" 2>/dev/null)" ]]; then return 0; fi
-  if command -v nslookup &> /dev/null && nslookup "$domain" &> /dev/null; then return 0; fi
-  return 1
-}
-
-read_nb_domain() {
-  local value=""
-  echo -n "Enter the FQDN for NetBird (must resolve via DNS, e.g. netbird.my-domain.com): " > /dev/stderr
-  read -r value < /dev/tty
-  if ! check_nb_domain "$value"; then
-    read_nb_domain
-    return
-  fi
-  if ! check_domain_resolves "$value"; then
-    echo "" > /dev/stderr
-    echo "Warning: '$value' does not resolve via DNS from this host." > /dev/stderr
-    echo "Caddy will not be able to issue TLS certificates until it does." > /dev/stderr
-    local confirm=""
-    echo -n "Continue anyway? [y/N]: " > /dev/stderr
-    read -r confirm < /dev/tty
-    if [[ ! "$confirm" =~ ^[Yy]$ ]]; then
-      read_nb_domain
-      return
-    fi
-  fi
-  echo "$value"
-}
-
-read_required() {
-  local prompt="$1"
-  local value=""
-  while [[ -z "$value" ]]; do
-    echo -n "$prompt: " > /dev/stderr
-    read -r value < /dev/tty
-    if [[ -z "$value" ]]; then
-      echo "Value cannot be empty." > /dev/stderr
-    fi
-  done
-  echo "$value"
-}
-
-read_secret() {
-  local prompt="$1"
-  local value=""
-  while [[ -z "$value" ]]; do
-    echo -n "$prompt: " > /dev/stderr
-    read -rs value < /dev/tty
-    echo "" > /dev/stderr
-    if [[ -z "$value" ]]; then
-      echo "Value cannot be empty." > /dev/stderr
-    fi
-  done
-  echo "$value"
-}
-
-# read_yes_no "<prompt>" [<default y|n>]
-read_yes_no() {
-  local prompt="$1"
-  local default="${2:-n}"
-  local hint
-  if [[ "$default" == "y" ]]; then
-    hint="[Y/n]"
-  else
-    hint="[y/N]"
-  fi
-  echo -n "${prompt} ${hint}: " > /dev/stderr
-  local ans=""
-  read -r ans < /dev/tty
-  if [[ -z "$ans" ]]; then
-    ans="$default"
-  fi
-  case "$ans" in
-    [Yy] | [Yy][Ee][Ss]) echo "yes" ;;
-    *) echo "no" ;;
-  esac
-}
-
-wait_postgres() {
-  set +e
-  echo -n "Waiting for postgres to become ready"
-  local counter=1
-  while true; do
-    if $DOCKER_COMPOSE_COMMAND exec -T postgres pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" &> /dev/null; then
-      break
-    fi
-    if [[ $counter -eq 60 ]]; then
-      echo ""
-      echo "Postgres is taking too long. Recent logs:"
-      $DOCKER_COMPOSE_COMMAND logs --tail=20 postgres
-      exit 1
-    fi
-    echo -n " ."
-    sleep 2
-    counter=$((counter + 1))
-  done
-  echo " done"
-  set -e
-}
-
-init_environment() {
-  check_openssl
-  DOCKER_COMPOSE_COMMAND=$(check_docker_compose)
-
-  if [[ -f .env ]] || [[ -f docker-compose.yml ]] || [[ -f config.yaml ]] || [[ -f Caddyfile ]]; then
-    echo "Generated files already exist in $(pwd)."
-    echo "If you want to reinitialize the environment, please remove them first:"
-    echo "  $DOCKER_COMPOSE_COMMAND down --volumes # removes all containers and volumes"
-    echo "  rm -f .env docker-compose.yml Caddyfile config.yaml"
-    echo "Be aware this will remove all data from the database."
-    exit 1
-  fi
-
-  echo "NetBird Enterprise bootstrap"
-  echo ""
-  echo "Traffic flow:"
-  echo "  Enables traffic events logging on the management server."
-  echo "  When enabled, the NetBird stack also runs NATS along with two"
-  echo "  additional containers: netbird-receiver (the traffic log receiver"
-  echo "  service) and netbird-enricher (the traffic log enricher service)."
-  echo "  It still has to be turned on from the dashboard settings afterwards."
-  echo "  See https://docs.netbird.io/manage/activity/traffic-events-logging"
-  NETBIRD_TRAFFIC_FLOW=$(read_yes_no "Enable traffic flow" "n")
-
-  echo ""
-  NETBIRD_DOMAIN=$(read_nb_domain)
-
-  echo ""
-
-  NETBIRD_LICENSE_KEY=$(read_secret "Enter license key (input hidden)")
-
-  GHCR_USERNAME="netbirdExtAccess1"
-  GHCR_TOKEN=$(read_secret "Enter GHCR token (input hidden)")
-
-  POSTGRES_USER="netbird"
-  POSTGRES_DB="netbird"
-  POSTGRES_PASSWORD=$(rand_secret)
-  NETBIRD_ENCRYPTION_KEY=$(rand_b64_key)
-  NETBIRD_RELAY_AUTH_SECRET=$(rand_secret)
-
-  POSTGRES_DSN="host=postgres user=${POSTGRES_USER} password=${POSTGRES_PASSWORD} dbname=${POSTGRES_DB} port=5432 sslmode=disable TimeZone=UTC"
-  NETBIRD_RELAY_ENDPOINT="rels://${NETBIRD_DOMAIN}:443"
-
-  echo ""
-  echo "Selected:"
-  echo "  Traffic flow: ${NETBIRD_TRAFFIC_FLOW}"
-  echo "  Domain:       ${NETBIRD_DOMAIN}"
-  echo ""
-  echo "Rendering files into $(pwd) ..."
-  install -m 600 /dev/null .env
-  render_env >> .env
-  render_docker_compose > docker-compose.yml
-
-  if [[ -z "${NETBIRD_LICENSE_SERVER_BASE_URL:-}" ]]; then
-    sed -i.bak '/NETBIRD_LICENSE_SERVER_BASE_URL/d' docker-compose.yml && rm -f docker-compose.yml.bak
-  fi
-  render_caddyfile > Caddyfile
-  install -m 600 /dev/null config.yaml
-  render_config_yaml >> config.yaml
-
-  echo "Logging in to ghcr.io ..."
-  printf '%s' "$GHCR_TOKEN" | docker login ghcr.io -u "$GHCR_USERNAME" --password-stdin
-  unset GHCR_TOKEN
-
-  echo ""
-  echo "Pulling images ..."
-  $DOCKER_COMPOSE_COMMAND pull
-
-  echo ""
-  echo "Starting postgres ..."
-  $DOCKER_COMPOSE_COMMAND up -d postgres
-  sleep 2
-  wait_postgres
-
-  echo ""
-  echo "Starting remaining services ..."
-  $DOCKER_COMPOSE_COMMAND up -d
-
-  echo ""
-  echo "Done."
-  echo ""
-  echo "Dashboard: https://${NETBIRD_DOMAIN}"
-  echo ""
-  echo "Open the dashboard in a browser to complete the first-login owner setup."
-  echo "All configuration and secrets are stored (mode 600) in $(pwd)/.env"
-  echo ""
-  echo "Tail logs:"
-  echo "  cd $(pwd) && $DOCKER_COMPOSE_COMMAND logs -f netbird-server caddy"
-}
-
-# ------------------------------------------------------------------
-# Renderers
-# ------------------------------------------------------------------
-
-render_env() {
-  cat <<EOF
-# Generated by getting-started-enterprise.sh
-# Holds all configuration and secrets for the stack. Mode 600.
-
-# Features (set by the script; don't edit without re-running)
-NETBIRD_TRAFFIC_FLOW_ENABLED=${NETBIRD_TRAFFIC_FLOW}
-
-# Domain
-NETBIRD_DOMAIN=${NETBIRD_DOMAIN}
-
-# Image tags. Default to "latest"
-NETBIRD_DASHBOARD_TAG=${NETBIRD_DASHBOARD_TAG:-latest}
-NETBIRD_SERVER_TAG=${NETBIRD_SERVER_TAG:-latest}
-EOF
-
-  if [[ "$NETBIRD_TRAFFIC_FLOW" == "yes" ]]; then
-    cat <<EOF
-NETBIRD_ENRICHER_TAG=${NETBIRD_ENRICHER_TAG:-latest}
-NETBIRD_RECEIVER_TAG=${NETBIRD_RECEIVER_TAG:-latest}
-EOF
-  fi
-
-  cat <<EOF
-
-# License keys
-EOF
-  if [[ -n "${NETBIRD_LICENSE_SERVER_BASE_URL:-}" ]]; then
-    cat <<EOF
-NETBIRD_LICENSE_SERVER_BASE_URL=${NETBIRD_LICENSE_SERVER_BASE_URL}
-EOF
-  fi
-  cat <<EOF
-NETBIRD_LICENSE_KEY=${NETBIRD_LICENSE_KEY}
-EOF
-
-  cat <<EOF
-
-# Postgres
-POSTGRES_USER=${POSTGRES_USER}
-POSTGRES_DB=${POSTGRES_DB}
-POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
-NETBIRD_STORE_ENGINE_POSTGRES_DSN=${POSTGRES_DSN}
-
-# Relay
-NETBIRD_RELAY_ENDPOINT=${NETBIRD_RELAY_ENDPOINT}
-NETBIRD_RELAY_AUTH_SECRET=${NETBIRD_RELAY_AUTH_SECRET}
-
-# Datastore encryption
-NETBIRD_ENCRYPTION_KEY=${NETBIRD_ENCRYPTION_KEY}
-
-# Dashboard OIDC scopes
-NETBIRD_AUTH_SUPPORTED_SCOPES=${NETBIRD_AUTH_SUPPORTED_SCOPES:-openid profile email groups}
-EOF
-}
-
-render_docker_compose() {
-  render_compose_header
-  render_compose_common
-  render_compose_server
-  if [[ "$NETBIRD_TRAFFIC_FLOW" == "yes" ]]; then
-    render_compose_flow
-  fi
-  render_compose_postgres
-  render_compose_footer
-}
-
-render_compose_header() {
-  cat <<'EOF'
-x-default: &default
-  restart: unless-stopped
-  logging:
-    driver: json-file
-    options:
-      max-size: '500m'
-      max-file: '2'
-
-services:
-EOF
-}
-
-render_compose_common() {
-  cat <<'EOF'
-  caddy:
-    <<: *default
-    image: caddy:2
-    container_name: netbird-caddy
-    networks: [netbird]
-    environment:
-      - CADDY_SECURE_DOMAIN=${NETBIRD_DOMAIN}
-    ports:
-      - '443:443'
-      - '443:443/udp'
-      - '80:80'
-    volumes:
-      - netbird_caddy_data:/data
-      - ./Caddyfile:/etc/caddy/Caddyfile
-
-  dashboard:
-    <<: *default
-    image: ghcr.io/netbirdio/dashboard-cloud:${NETBIRD_DASHBOARD_TAG}
-    container_name: netbird-dashboard
-    networks: [netbird]
-    environment:
-      - NETBIRD_MGMT_API_ENDPOINT=https://${NETBIRD_DOMAIN}
-      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://${NETBIRD_DOMAIN}
-      - AUTH_AUDIENCE=netbird-dashboard
-      - AUTH_CLIENT_ID=netbird-dashboard
-      - AUTH_CLIENT_SECRET=
-      - AUTH_AUTHORITY=https://${NETBIRD_DOMAIN}/oauth2
-      - USE_AUTH0=false
-      - AUTH_SUPPORTED_SCOPES=${NETBIRD_AUTH_SUPPORTED_SCOPES}
-      - AUTH_REDIRECT_URI=/nb-auth
-      - AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
-      - NETBIRD_TOKEN_SOURCE=accessToken
-      - NGINX_SSL_PORT=443
-      - LETSENCRYPT_DOMAIN=
-      - LETSENCRYPT_EMAIL=
-
-EOF
-}
-
-render_compose_server() {
-  cat <<'EOF'
-  netbird-server:
-    <<: *default
-    image: ghcr.io/netbirdio/netbird-server-cloud:${NETBIRD_SERVER_TAG}
-    container_name: netbird-server
-    networks: [netbird]
-    depends_on:
-      dashboard:
-        condition: service_started
-      postgres:
-        condition: service_healthy
-    ports:
-      - '3478:3478/udp'
-    volumes:
-      - netbird_data:/var/lib/netbird
-      - ./config.yaml:/etc/netbird/config.yaml
-    command: ["--config", "/etc/netbird/config.yaml"]
-    environment:
-      - NB_LICENSE_KEY=${NETBIRD_LICENSE_KEY}
-      - NETBIRD_LICENSE_SERVER_BASE_URL=${NETBIRD_LICENSE_SERVER_BASE_URL}
-
-EOF
-}
-
-render_compose_flow() {
-  cat <<'EOF'
-  nats:
-    <<: *default
-    image: nats:2
-    container_name: netbird-nats
-    networks: [netbird]
-    volumes:
-      - netbird_nats_data:/data
-    command: ["-m", "8222", "--jetstream", "--store_dir", "/data"]
-
-  enricher:
-    <<: *default
-    image: ghcr.io/netbirdio/flow-enricher-cloud:${NETBIRD_ENRICHER_TAG}
-    container_name: netbird-enricher
-    networks: [netbird]
-    depends_on:
-      postgres:
-        condition: service_healthy
-      nats:
-        condition: service_started
-    volumes:
-      - netbird_enricher:/var/lib/netbird
-    environment:
-      - NB_LICENSE_KEY=${NETBIRD_LICENSE_KEY}
-      - NETBIRD_LICENSE_SERVER_BASE_URL=${NETBIRD_LICENSE_SERVER_BASE_URL}
-      - NB_DATADIR=/var/lib/netbird
-      - NB_MANAGEMENT_STORE_ENGINE=postgres
-      - NB_MANAGEMENT_POSTGRES_DSN=${NETBIRD_STORE_ENGINE_POSTGRES_DSN}
-      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=${NETBIRD_STORE_ENGINE_POSTGRES_DSN}
-      - NB_TRAFFIC_EVENT_POSTGRES_DSN=${NETBIRD_STORE_ENGINE_POSTGRES_DSN}
-      - NB_TRAFFIC_EVENT_STORE_ENGINE=postgres
-      - NB_MANAGEMENT_STORE_KEY=${NETBIRD_ENCRYPTION_KEY}
-      - NB_FLOW_ADAPTER_TYPE=nats
-      - NB_FLOW_NATS_ENDPOINTS=nats://nats:4222
-      - NB_FLOW_NATS_STREAM=traffic-events
-      - NB_METRICS_PORT=9091
-      - NB_PERSISTENCE_RETENTION_PERIOD=168h
-
-  receiver:
-    <<: *default
-    image: ghcr.io/netbirdio/flow-receiver-cloud:${NETBIRD_RECEIVER_TAG}
-    container_name: netbird-receiver
-    networks: [netbird]
-    depends_on:
-      nats:
-        condition: service_started
-    environment:
-      - NB_LICENSE_KEY=${NETBIRD_LICENSE_KEY}
-      - NETBIRD_LICENSE_SERVER_BASE_URL=${NETBIRD_LICENSE_SERVER_BASE_URL}
-      - NB_FLOW_LISTEN_PORT=80
-      - NB_FLOW_ADAPTER_TYPE=nats
-      - NB_FLOW_NATS_ENDPOINTS=nats://nats:4222
-      - NB_FLOW_NATS_STREAM=traffic-events
-      - NB_FLOW_AUTH_SECRET=${NETBIRD_RELAY_AUTH_SECRET}
-
-EOF
-}
-
-render_compose_postgres() {
-  cat <<'EOF'
-  postgres:
-    <<: *default
-    image: postgres:17
-    container_name: netbird-postgres
-    networks: [netbird]
-    environment:
-      - POSTGRES_USER=${POSTGRES_USER}
-      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
-      - POSTGRES_DB=${POSTGRES_DB}
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
-      interval: 10s
-      timeout: 5s
-      retries: 10
-    volumes:
-      - netbird_postgres:/var/lib/postgresql/data
-
-EOF
-}
-
-render_compose_footer() {
-  cat <<'EOF'
-volumes:
-  netbird_data:
-EOF
-  if [[ "$NETBIRD_TRAFFIC_FLOW" == "yes" ]]; then
-    cat <<'EOF'
-  netbird_nats_data:
-  netbird_enricher:
-EOF
-  fi
-  cat <<'EOF'
-  netbird_postgres:
-  netbird_caddy_data:
-
-networks:
-  netbird:
-EOF
-}
-
-render_caddyfile() {
-  cat <<'EOF'
-{
-  servers :80,:443 {
-    protocols h1 h2c h2 h3
-  }
-}
-
-(security_headers) {
-    header * {
-        Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
-        X-Content-Type-Options "nosniff"
-        X-Frame-Options "SAMEORIGIN"
-        X-XSS-Protection "1; mode=block"
-        -Server
-        Referrer-Policy strict-origin-when-cross-origin
-    }
-}
-
-:80 {
-    redir https://{$CADDY_SECURE_DOMAIN}{uri} permanent
-}
-
-{$CADDY_SECURE_DOMAIN}:443 {
-    import security_headers
-    # Signal (gRPC over h2c)
-    reverse_proxy /signalexchange.SignalExchange/* h2c://netbird-server:80
-    # Management (gRPC over h2c + HTTP)
-    reverse_proxy /management.ManagementService/* h2c://netbird-server:80
-    reverse_proxy /api/* netbird-server:80
-    reverse_proxy /ws-proxy/* netbird-server:80
-    # Embedded IdP (OAuth2 endpoints served by netbird server)
-    reverse_proxy /oauth2/* netbird-server:80
-    # Relay (WebSocket multiplexed on the same port)
-    reverse_proxy /relay* netbird-server:80
-EOF
-
-  if [[ "$NETBIRD_TRAFFIC_FLOW" == "yes" ]]; then
-    cat <<'EOF'
-    # Flow receiver (gRPC over h2c)
-    reverse_proxy /flow.FlowService/* h2c://receiver:80
-EOF
-  fi
-
-  cat <<'EOF'
-    # Dashboard
-    reverse_proxy /* dashboard:80
-}
-EOF
-}
-
-render_config_yaml() {
-  cat <<EOF
-# NetBird Enterprise server configuration.
-# Generated by getting-started-enterprise.sh. Mode 600.
-
-server:
-  listenAddress: ":80"
-  exposedAddress: "https://${NETBIRD_DOMAIN}:443"
-
-  metricsPort: 9090
-  healthcheckAddress: ":9000"
-
-  logLevel: "info"
-  logFile: "console"
-
-  # TLS is terminated by Caddy in front; leave this block empty.
-  tls:
-    certFile: ""
-    keyFile: ""
-    letsencrypt:
-      enabled: false
-
-  authSecret: "${NETBIRD_RELAY_AUTH_SECRET}"
-  dataDir: "/var/lib/netbird/"
-
-  disableAnonymousMetrics: false
-  disableGeoliteUpdate: false
-
-  auth:
-    issuer: "https://${NETBIRD_DOMAIN}/oauth2"
-    localAuthDisabled: false
-    signKeyRefreshEnabled: false
-    dashboardRedirectURIs:
-      - "https://${NETBIRD_DOMAIN}/nb-auth"
-      - "https://${NETBIRD_DOMAIN}/nb-silent-auth"
-    cliRedirectURIs:
-      - "http://localhost:53000/"
-
-  store:
-    engine: "postgres"
-    dsn: "${POSTGRES_DSN}"
-    encryptionKey: "${NETBIRD_ENCRYPTION_KEY}"
-
-  activityStore:
-    engine: "postgres"
-    dsn: "${POSTGRES_DSN}"
-EOF
-
-  if [[ "$NETBIRD_TRAFFIC_FLOW" == "yes" ]]; then
-    cat <<EOF
-
-  trafficFlow:
-    enabled: true
-    address: "https://${NETBIRD_DOMAIN}:443"
-    interval: "60s"
-EOF
-  fi
-}
-
-init_environment
--- a/infrastructure_files/migrate-to-enterprise.sh
+++ b/infrastructure_files/migrate-to-enterprise.sh
@@ -1,638 +0,0 @@
-#!/bin/bash
-
-set -e
-set -o pipefail
-
-# NetBird — community combined → Enterprise combined migration
-#
-# Non-destructive migration: produces docker-compose.override.yml (auto-loaded
-# by docker compose) and config.yaml.enterprise alongside the operator's
-# existing files. Original docker-compose.yml and config.yaml are never
-# modified.
-#
-# Steps (all optional, asked interactively):
-#   1. Image swap         — replace community images with enterprise cloud images.
-#   2. Postgres migration — add Postgres, migrate SQLite data via migrate-store.
-#   3. Traffic flow       — add NATS + flow-enricher + flow-receiver.
-#
-# To revert:
-#   docker compose down
-#   rm -f docker-compose.override.yml config.yaml.enterprise
-#   # If Postgres migration was done, also restore the SQLite backup printed
-#   # at the end of this script's run.
-#   docker compose up -d
-
-OVERRIDE_FILE="docker-compose.override.yml"
-ENTERPRISE_CONFIG_FILE="config.yaml.enterprise"
-
-check_docker_compose() {
-  if command -v docker-compose &> /dev/null; then
-    echo "docker-compose"
-    return
-  fi
-  if docker compose --help &> /dev/null; then
-    echo "docker compose"
-    return
-  fi
-  echo "docker-compose is not installed or not in PATH." > /dev/stderr
-  exit 1
-}
-
-check_yq() {
-  if ! command -v yq &> /dev/null; then
-    cat > /dev/stderr <<'EOF'
-yq is required to parse and update YAML safely.
-
-  macOS:   brew install yq
-  Linux:   https://github.com/mikefarah/yq/releases (download binary into PATH)
-  Debian:  apt-get install yq   (Note: must be the mikefarah Go yq, not the Python wrapper.)
-
-EOF
-    exit 1
-  fi
-  if ! yq --version 2>&1 | grep -q "mikefarah"; then
-    echo "yq is present but appears to be the wrong implementation. The mikefarah Go-based yq is required (https://github.com/mikefarah/yq)." > /dev/stderr
-    exit 1
-  fi
-}
-
-check_openssl() {
-  if ! command -v openssl &> /dev/null; then
-    echo "openssl is not installed or not in PATH." > /dev/stderr
-    exit 1
-  fi
-}
-
-rand_password() {
-  openssl rand -hex 32
-}
-
-read_required() {
-  local prompt="$1"
-  local value=""
-  while [[ -z "$value" ]]; do
-    echo -n "$prompt: " > /dev/stderr
-    read -r value < /dev/tty
-    if [[ -z "$value" ]]; then
-      echo "Value cannot be empty." > /dev/stderr
-    fi
-  done
-  echo "$value"
-}
-
-read_secret() {
-  local prompt="$1"
-  local value=""
-  while [[ -z "$value" ]]; do
-    echo -n "$prompt: " > /dev/stderr
-    read -rs value < /dev/tty
-    echo "" > /dev/stderr
-    if [[ -z "$value" ]]; then
-      echo "Value cannot be empty." > /dev/stderr
-    fi
-  done
-  echo "$value"
-}
-
-read_yes_no() {
-  local prompt="$1"
-  local default="${2:-n}"
-  local hint
-  if [[ "$default" == "y" ]]; then
-    hint="[Y/n]"
-  else
-    hint="[y/N]"
-  fi
-  echo -n "${prompt} ${hint}: " > /dev/stderr
-  local ans=""
-  read -r ans < /dev/tty
-  if [[ -z "$ans" ]]; then
-    ans="$default"
-  fi
-  case "$ans" in
-    [Yy] | [Yy][Ee][Ss]) echo "yes" ;;
-    *) echo "no" ;;
-  esac
-}
-
-# ---------------------------------------------------------------------------
-# Detection — read the operator's existing compose to find service names and
-# paths we need to override. Bail loudly if shape isn't recognised.
-# ---------------------------------------------------------------------------
-
-detect_combined_service() {
-  yq eval '.services | to_entries | map(select(.value.image | test("^netbirdio/netbird-server"))) | .[0].key // ""' "$COMPOSE_FILE"
-}
-
-detect_dashboard_service() {
-  yq eval '.services | to_entries | map(select(.value.image | test("^netbirdio/dashboard"))) | .[0].key // ""' "$COMPOSE_FILE"
-}
-
-detect_config_yaml_host_path() {
-  yq eval ".services[\"$COMBINED_SERVICE\"].volumes[] | select(. | test(\":/etc/netbird/config.yaml\")) | sub(\":/etc/netbird/config.yaml.*\"; \"\") // \"\"" "$COMPOSE_FILE" | head -1
-}
-
-detect_data_volume() {
-  yq eval ".services[\"$COMBINED_SERVICE\"].volumes[] | select(. | test(\":/var/lib/netbird\")) | sub(\":/var/lib/netbird.*\"; \"\") // \"\"" "$COMPOSE_FILE" | head -1
-}
-
-detect_exposed_address() {
-  yq eval '.server.exposedAddress // ""' "$CONFIG_YAML_HOST"
-}
-
-detect_compose_network() {
-  local tag
-  tag=$(yq eval ".services[\"$COMBINED_SERVICE\"].networks | tag" "$COMPOSE_FILE" 2>/dev/null)
-  case "$tag" in
-    "!!seq")
-      yq eval ".services[\"$COMBINED_SERVICE\"].networks[0]" "$COMPOSE_FILE"
-      ;;
-    "!!map")
-      yq eval ".services[\"$COMBINED_SERVICE\"].networks | keys | .[0]" "$COMPOSE_FILE"
-      ;;
-    *)
-      echo "default"
-      ;;
-  esac
-}
-
-# ---------------------------------------------------------------------------
-# Renderers
-# ---------------------------------------------------------------------------
-
-# Build docker-compose.override.yml from the steps the operator selected.
-# Service names match what we detected on the operator's side.
-render_override() {
-  cat <<EOF
-# Generated by migrate-to-enterprise.sh. Mode 644.
-# Merged with docker-compose.yml automatically by Docker Compose.
-# Remove this file (and config.yaml.enterprise if present) to revert.
-
-services:
-  ${DASHBOARD_SERVICE}:
-    image: \${NETBIRD_DASHBOARD_IMAGE:-ghcr.io/netbirdio/dashboard-cloud:latest}
-
-  ${COMBINED_SERVICE}:
-    image: \${NETBIRD_SERVER_IMAGE:-ghcr.io/netbirdio/netbird-server-cloud:latest}
-    environment:
-      NB_LICENSE_KEY: \${NB_LICENSE_KEY}
-      NETBIRD_LICENSE_SERVER_BASE_URL: \${NETBIRD_LICENSE_SERVER_BASE_URL}
-EOF
-
-  if [[ "$MIGRATE_POSTGRES" == "yes" ]]; then
-    cat <<EOF
-    depends_on:
-      postgres:
-        condition: service_healthy
-    volumes:
-      - ./${ENTERPRISE_CONFIG_FILE}:/etc/netbird/config.yaml.enterprise:ro
-    command: ["--config", "/etc/netbird/config.yaml.enterprise"]
-
-  postgres:
-    image: postgres:17
-    container_name: netbird-postgres
-    restart: unless-stopped
-    networks: [${COMPOSE_NETWORK}]
-    environment:
-      POSTGRES_USER: netbird
-      POSTGRES_PASSWORD: \${POSTGRES_PASSWORD}
-      POSTGRES_DB: netbird
-    volumes:
-      - netbird_postgres:/var/lib/postgresql/data
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U netbird -d netbird"]
-      interval: 5s
-      timeout: 5s
-      retries: 20
-EOF
-  fi
-
-  if [[ "$ENABLE_FLOW" == "yes" ]]; then
-    cat <<EOF
-
-  nats:
-    image: nats:2
-    container_name: netbird-nats
-    restart: unless-stopped
-    networks: [${COMPOSE_NETWORK}]
-    command: ["-m", "8222", "--jetstream", "--store_dir", "/data"]
-    volumes:
-      - netbird_nats_data:/data
-
-  flow-enricher:
-    image: ghcr.io/netbirdio/flow-enricher-cloud:latest
-    container_name: netbird-flow-enricher
-    restart: unless-stopped
-    networks: [${COMPOSE_NETWORK}]
-    depends_on:
-      postgres:
-        condition: service_healthy
-      nats:
-        condition: service_started
-    environment:
-      NB_LICENSE_KEY: \${NB_LICENSE_KEY}
-      NETBIRD_LICENSE_SERVER_BASE_URL: \${NETBIRD_LICENSE_SERVER_BASE_URL}
-      NB_DATADIR: /var/lib/netbird
-      NB_MANAGEMENT_STORE_ENGINE: postgres
-      NB_MANAGEMENT_POSTGRES_DSN: "host=postgres user=netbird password=\${POSTGRES_PASSWORD} dbname=netbird port=5432 sslmode=disable"
-      NB_STORE_ENGINE_POSTGRES_DSN: "host=postgres user=netbird password=\${POSTGRES_PASSWORD} dbname=netbird port=5432 sslmode=disable"
-      NB_TRAFFIC_EVENT_STORE_ENGINE: postgres
-      NB_TRAFFIC_EVENT_POSTGRES_DSN: "host=postgres user=netbird password=\${POSTGRES_PASSWORD} dbname=netbird port=5432 sslmode=disable"
-      NB_MANAGEMENT_STORE_KEY: \${NETBIRD_ENCRYPTION_KEY}
-      NB_FLOW_ADAPTER_TYPE: nats
-      NB_FLOW_NATS_ENDPOINTS: nats://nats:4222
-      NB_FLOW_NATS_STREAM: traffic-events
-      NB_METRICS_PORT: 9091
-      NB_PERSISTENCE_RETENTION_PERIOD: 168h
-
-  flow-receiver:
-    image: ghcr.io/netbirdio/flow-receiver-cloud:latest
-    container_name: netbird-flow-receiver
-    restart: unless-stopped
-    networks: [${COMPOSE_NETWORK}]
-    depends_on:
-      nats:
-        condition: service_started
-    environment:
-      NB_LICENSE_KEY: \${NB_LICENSE_KEY}
-      NETBIRD_LICENSE_SERVER_BASE_URL: \${NETBIRD_LICENSE_SERVER_BASE_URL}
-      NB_FLOW_LISTEN_PORT: 80
-      NB_FLOW_ADAPTER_TYPE: nats
-      NB_FLOW_NATS_ENDPOINTS: nats://nats:4222
-      NB_FLOW_NATS_STREAM: traffic-events
-      NB_FLOW_AUTH_SECRET: \${NB_FLOW_AUTH_SECRET}
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.netbird-flow.rule=Host(\`${NETBIRD_HOSTNAME}\`) && PathPrefix(\`/flow.FlowService/\`)
-      - traefik.http.routers.netbird-flow.entrypoints=websecure
-      - traefik.http.routers.netbird-flow.tls=true
-      - traefik.http.routers.netbird-flow.tls.certresolver=letsencrypt
-      - traefik.http.routers.netbird-flow.service=netbird-flow-h2c
-      - traefik.http.routers.netbird-flow.priority=100
-      - traefik.http.services.netbird-flow-h2c.loadbalancer.server.port=80
-      - traefik.http.services.netbird-flow-h2c.loadbalancer.server.scheme=h2c
-EOF
-  fi
-
-  # Volume declarations for anything new the override introduced
-  local has_volumes="no"
-  if [[ "$MIGRATE_POSTGRES" == "yes" ]] || [[ "$ENABLE_FLOW" == "yes" ]]; then
-    has_volumes="yes"
-  fi
-
-  if [[ "$has_volumes" == "yes" ]]; then
-    cat <<EOF
-
-volumes:
-EOF
-    if [[ "$MIGRATE_POSTGRES" == "yes" ]]; then
-      echo "  netbird_postgres:"
-    fi
-    if [[ "$ENABLE_FLOW" == "yes" ]]; then
-      echo "  netbird_nats_data:"
-    fi
-  fi
-}
-
-# Build config.yaml.enterprise by yq-editing the operator's existing
-# config.yaml. We don't touch the original file.
-render_enterprise_config() {
-  local pg_dsn="host=postgres user=netbird password=${POSTGRES_PASSWORD} dbname=netbird port=5432 sslmode=disable"
-
-  yq eval "
-    .server.store.engine = \"postgres\" |
-    .server.store.dsn = \"$pg_dsn\" |
-    .server.activityStore.engine = \"postgres\" |
-    .server.activityStore.dsn = \"$pg_dsn\" |
-    .server.authStore.engine = \"postgres\" |
-    .server.authStore.dsn = \"$pg_dsn\"
-  " "$CONFIG_YAML_HOST" > "$ENTERPRISE_CONFIG_FILE"
-
-  if [[ "$ENABLE_FLOW" == "yes" ]]; then
-    local flow_addr="${NETBIRD_DOMAIN}"
-    yq eval -i "
-      .server.trafficFlow.enabled = true |
-      .server.trafficFlow.address = \"$flow_addr\" |
-      .server.trafficFlow.interval = \"60s\"
-    " "$ENTERPRISE_CONFIG_FILE"
-  fi
-}
-
-# ---------------------------------------------------------------------------
-# Execution steps
-# ---------------------------------------------------------------------------
-
-resolve_data_volume() {
-  local short="$1"
-  local actual
-  # Resolve project-prefixed volume name from Docker Compose config first.
-  actual=$($DOCKER_COMPOSE_COMMAND config 2>/dev/null | yq eval ".volumes.\"$short\".name" - 2>/dev/null)
-  if [[ -n "$actual" && "$actual" != "null" ]]; then
-    echo "$actual"
-    return
-  fi
-  # Relative bind mount: docker-compose resolves it against the compose
-  # file's directory, but `docker run -v` resolves it against the current
-  # working directory. Normalize to an absolute path so both interpretations
-  # agree (and the printed revert command works from any CWD).
-  if [[ "$short" == ./* || "$short" == ../* ]]; then
-    local compose_dir
-    compose_dir="$(cd "$(dirname "$COMPOSE_FILE")" && pwd)"
-    (
-      cd "$compose_dir"
-      cd "$(dirname "$short")"
-      printf '%s/%s\n' "$(pwd)" "$(basename "$short")"
-    )
-    return
-  fi
-  # Not a named volume (e.g. an absolute bind-mount path) — use it as-is.
-  echo "$short"
-}
-
-backup_sqlite() {
-  BACKUP_DIR="$(pwd)/backups/sqlite-pre-enterprise-$(date +%Y%m%d-%H%M%S)"
-  mkdir -p "$BACKUP_DIR"
-  local data_volume_actual
-  data_volume_actual=$(resolve_data_volume "$DATA_VOLUME")
-  echo "Backing up SQLite store from volume '$data_volume_actual' to $BACKUP_DIR ..."
-  docker run --rm \
-    -v "${data_volume_actual}:/var/lib/netbird:ro" \
-    -v "${BACKUP_DIR}:/backup" \
-    busybox \
-    sh -c 'cp -a /var/lib/netbird/. /backup/ 2>/dev/null || true'
-  local copied
-  copied=$(find "$BACKUP_DIR" -mindepth 1 | head -1)
-  if [[ -z "$copied" ]]; then
-    echo "  ⚠ Backup directory is empty — the volume '$data_volume_actual' didn't contain data. Aborting." > /dev/stderr
-    exit 1
-  fi
-  echo "  done"
-}
-
-run_migrate_store() {
-  echo "Running migrate-store (SQLite → Postgres) ..."
-  $DOCKER_COMPOSE_COMMAND run --rm "$COMBINED_SERVICE" migrate-store --config /etc/netbird/config.yaml.enterprise --verify
-  echo "  done"
-}
-
-# ---------------------------------------------------------------------------
-# Main
-# ---------------------------------------------------------------------------
-
-init_migration() {
-  DOCKER_COMPOSE_COMMAND=$(check_docker_compose)
-  check_yq
-  check_openssl
-
-  COMPOSE_FILE="${COMPOSE_FILE:-docker-compose.yml}"
-
-  if [[ ! -f "$COMPOSE_FILE" ]]; then
-    echo "$COMPOSE_FILE not found in $(pwd)." > /dev/stderr
-    exit 1
-  fi
-  if [[ -f "$OVERRIDE_FILE" ]] || [[ -f "$ENTERPRISE_CONFIG_FILE" ]]; then
-    echo "Migration artifacts already exist in $(pwd):"
-    [[ -f "$OVERRIDE_FILE" ]] && echo "  $OVERRIDE_FILE"
-    [[ -f "$ENTERPRISE_CONFIG_FILE" ]] && echo "  $ENTERPRISE_CONFIG_FILE"
-    echo ""
-    echo "Either you've already migrated, or a previous run was interrupted."
-    echo "To re-run cleanly: rm -f $OVERRIDE_FILE $ENTERPRISE_CONFIG_FILE"
-    exit 1
-  fi
-
-  COMBINED_SERVICE=$(detect_combined_service)
-  DASHBOARD_SERVICE=$(detect_dashboard_service)
-  CONFIG_YAML_HOST=$(detect_config_yaml_host_path)
-  DATA_VOLUME=$(detect_data_volume)
-  COMPOSE_NETWORK=$(detect_compose_network)
-
-  if [[ -z "$COMBINED_SERVICE" ]]; then
-    echo "Could not find a service running netbirdio/netbird-server* in $COMPOSE_FILE." > /dev/stderr
-    echo "This script targets the community combined-server deployment." > /dev/stderr
-    exit 1
-  fi
-  if [[ -z "$DASHBOARD_SERVICE" ]]; then
-    echo "Could not find a service running netbirdio/dashboard* in $COMPOSE_FILE." > /dev/stderr
-    exit 1
-  fi
-  if [[ -z "$CONFIG_YAML_HOST" ]]; then
-    echo "Could not find a config.yaml mount on $COMBINED_SERVICE (expected to bind-mount to /etc/netbird/config.yaml)." > /dev/stderr
-    exit 1
-  fi
-  if [[ ! -f "$CONFIG_YAML_HOST" ]]; then
-    echo "config.yaml host file not found at $CONFIG_YAML_HOST." > /dev/stderr
-    exit 1
-  fi
-  if [[ -z "$DATA_VOLUME" ]]; then
-    echo "Could not find a volume mounted at /var/lib/netbird on $COMBINED_SERVICE." > /dev/stderr
-    exit 1
-  fi
-
-  echo "Detected existing deployment:"
-  echo "  Combined service: $COMBINED_SERVICE"
-  echo "  Dashboard:        $DASHBOARD_SERVICE"
-  echo "  config.yaml:      $CONFIG_YAML_HOST"
-  echo "  Data volume:      $DATA_VOLUME"
-  echo "  Network:          $COMPOSE_NETWORK"
-  echo ""
-
-  local proceed
-  proceed=$(read_yes_no "Proceed with migration?" "y")
-  if [[ "$proceed" != "yes" ]]; then
-    echo "Aborted."
-    exit 0
-  fi
-
-  # Step 1 — always (this is the point of the script)
-  MIGRATE_IMAGES="yes"
-  echo ""
-  echo "Step 1: Image swap (community → Enterprise). License key required."
-  NB_LICENSE_KEY=$(read_secret "  License key")
-  GHCR_USERNAME="netbirdExtAccess1"
-  GHCR_TOKEN=$(read_secret "  GHCR token (input hidden)")
-
-  # Step 2 — optional
-  echo ""
-  MIGRATE_POSTGRES=$(read_yes_no "Step 2: Migrate storage from SQLite to Postgres? (recommended)" "n")
-  if [[ "$MIGRATE_POSTGRES" == "yes" ]]; then
-    echo ""
-    echo "  ⚠  Data will be migrated from SQLite to Postgres. The SQLite store"
-    echo "     will be backed up automatically. To fully revert later, restore"
-    echo "     that backup and delete docker-compose.override.yml +"
-    echo "     config.yaml.enterprise."
-    local confirm
-    confirm=$(read_yes_no "  Continue?" "y")
-    if [[ "$confirm" != "yes" ]]; then
-      MIGRATE_POSTGRES="no"
-      echo "  Skipping Postgres migration."
-    else
-      POSTGRES_PASSWORD=$(rand_password)
-    fi
-  fi
-
-  # Step 3 — optional, only if Postgres is on (flow requires Postgres)
-  echo ""
-  if [[ "$MIGRATE_POSTGRES" == "yes" ]]; then
-    ENABLE_FLOW=$(read_yes_no "Step 3: Enable traffic flow? (requires Postgres)" "n")
-    if [[ "$ENABLE_FLOW" == "yes" ]]; then
-      # Auth secret MUST match server.authSecret from config.yaml
-      NB_FLOW_AUTH_SECRET=$(yq eval '.server.authSecret // ""' "$CONFIG_YAML_HOST")
-      if [[ -z "$NB_FLOW_AUTH_SECRET" ]] || [[ "$NB_FLOW_AUTH_SECRET" == "null" ]]; then
-        echo "Could not read server.authSecret from $CONFIG_YAML_HOST." > /dev/stderr
-        echo "Flow receiver auth must match the combined server's authSecret." > /dev/stderr
-        exit 1
-      fi
-
-      NETBIRD_DOMAIN=$(detect_exposed_address)
-      if [[ -z "$NETBIRD_DOMAIN" ]] || [[ "$NETBIRD_DOMAIN" == "null" ]]; then
-        NETBIRD_DOMAIN=$(read_required "  Public NetBird URL (e.g. https://netbird.example.com)")
-      fi
-      # Strip protocol + port to leave just the hostname for the Traefik Host() rule.
-      NETBIRD_HOSTNAME=$(echo "$NETBIRD_DOMAIN" | sed -E 's,^https?://,,' | sed 's,:.*,,' | sed 's,/.*,,')
-
-      # We need the encryption key from the existing config.yaml for the enricher
-      NETBIRD_ENCRYPTION_KEY=$(yq eval '.server.store.encryptionKey // ""' "$CONFIG_YAML_HOST")
-      if [[ -z "$NETBIRD_ENCRYPTION_KEY" ]] || [[ "$NETBIRD_ENCRYPTION_KEY" == "null" ]]; then
-        echo "Could not read server.store.encryptionKey from $CONFIG_YAML_HOST." > /dev/stderr
-        exit 1
-      fi
-    fi
-  else
-    ENABLE_FLOW="no"
-    echo "Step 3 (traffic flow) skipped — requires Postgres."
-  fi
-}
-
-apply_changes() {
-  echo ""
-  echo "Writing $OVERRIDE_FILE ..."
-  install -m 644 /dev/null "$OVERRIDE_FILE"
-  render_override > "$OVERRIDE_FILE"
-
-  if [[ -z "${NETBIRD_LICENSE_SERVER_BASE_URL:-}" ]]; then
-    sed -i.bak '/NETBIRD_LICENSE_SERVER_BASE_URL/d' "$OVERRIDE_FILE" && rm -f "$OVERRIDE_FILE.bak"
-  fi
-
-  if [[ "$MIGRATE_POSTGRES" == "yes" ]]; then
-    echo "Writing $ENTERPRISE_CONFIG_FILE ..."
-    install -m 600 /dev/null "$ENTERPRISE_CONFIG_FILE"
-    render_enterprise_config
-  fi
-
-  # Persist secrets that the override file references via env interpolation.
-  # We write them to a .env file in the current directory; docker compose
-  # picks it up automatically.
-  echo "Writing .env additions (mode 600) ..."
-  local ENV_FILE=".env"
-  touch "$ENV_FILE"
-  chmod 600 "$ENV_FILE"
-  {
-    echo ""
-    echo "# Added by migrate-to-enterprise.sh on $(date -u +%Y-%m-%dT%H:%M:%SZ)"
-    echo "NB_LICENSE_KEY=${NB_LICENSE_KEY}"
-    if [[ -n "${NETBIRD_LICENSE_SERVER_BASE_URL:-}" ]]; then
-      echo "NETBIRD_LICENSE_SERVER_BASE_URL=${NETBIRD_LICENSE_SERVER_BASE_URL}"
-    fi
-    if [[ "$MIGRATE_POSTGRES" == "yes" ]]; then
-      echo "POSTGRES_PASSWORD=${POSTGRES_PASSWORD}"
-    fi
-    if [[ "$ENABLE_FLOW" == "yes" ]]; then
-      echo "NB_FLOW_AUTH_SECRET=${NB_FLOW_AUTH_SECRET}"
-      echo "NETBIRD_ENCRYPTION_KEY=${NETBIRD_ENCRYPTION_KEY}"
-    fi
-  } >> "$ENV_FILE"
-
-  echo ""
-  echo "Logging in to ghcr.io ..."
-  printf '%s' "$GHCR_TOKEN" | docker login ghcr.io -u "$GHCR_USERNAME" --password-stdin
-  unset GHCR_TOKEN
-
-  echo ""
-  echo "Pulling enterprise images ..."
-  $DOCKER_COMPOSE_COMMAND pull
-
-  if [[ "$MIGRATE_POSTGRES" == "yes" ]]; then
-    echo ""
-    echo "Stopping existing services (volumes preserved) ..."
-    $DOCKER_COMPOSE_COMMAND down
-
-    backup_sqlite
-
-    echo ""
-    echo "Starting Postgres ..."
-    $DOCKER_COMPOSE_COMMAND up -d postgres
-
-    # Wait for healthy
-    local counter=0
-    echo -n "Waiting for Postgres to become ready"
-    while ! $DOCKER_COMPOSE_COMMAND exec -T postgres pg_isready -U netbird -d netbird &> /dev/null; do
-      echo -n " ."
-      sleep 2
-      counter=$((counter + 1))
-      if [[ $counter -ge 60 ]]; then
-        echo ""
-        echo "Postgres did not become ready in 120s. Recent logs:"
-        $DOCKER_COMPOSE_COMMAND logs --tail=20 postgres
-        exit 1
-      fi
-    done
-    echo " done"
-
-    run_migrate_store
-  fi
-
-  echo ""
-  echo "Bringing up all services ..."
-  $DOCKER_COMPOSE_COMMAND up -d
-
-  echo ""
-  echo "Migration complete."
-}
-
-print_summary() {
-  echo ""
-  echo "──────────────────────────────────────────────────────────────────────"
-  echo " Summary"
-  echo "──────────────────────────────────────────────────────────────────────"
-  echo "  Images:           swapped to enterprise"
-  [[ "$MIGRATE_POSTGRES" == "yes" ]] && echo "  Storage:          Postgres (data migrated from SQLite)"
-  [[ "$MIGRATE_POSTGRES" != "yes" ]] && echo "  Storage:          SQLite (unchanged)"
-  [[ "$ENABLE_FLOW" == "yes" ]] && echo "  Traffic flow:     enabled"
-  [[ "$ENABLE_FLOW" != "yes" ]] && echo "  Traffic flow:     disabled"
-  echo ""
-  echo "  Generated files (next to your docker-compose.yml):"
-  echo "    $OVERRIDE_FILE"
-  [[ "$MIGRATE_POSTGRES" == "yes" ]] && echo "    $ENTERPRISE_CONFIG_FILE"
-  echo "    .env  (license key + secrets, mode 600)"
-  [[ "$MIGRATE_POSTGRES" == "yes" ]] && echo "    backups/sqlite-pre-enterprise-*/  (SQLite backup)"
-  echo ""
-  echo " Tail logs:"
-  echo "   $DOCKER_COMPOSE_COMMAND logs -f $COMBINED_SERVICE"
-  echo ""
-  echo "──────────────────────────────────────────────────────────────────────"
-  echo " To revert"
-  echo "──────────────────────────────────────────────────────────────────────"
-  echo "  $DOCKER_COMPOSE_COMMAND down"
-  if [[ "$MIGRATE_POSTGRES" == "yes" ]]; then
-    # Resolve project-prefixed volume names now (before override is removed).
-    local pg_volume data_volume_actual
-    pg_volume=$(resolve_data_volume "netbird_postgres")
-    data_volume_actual=$(resolve_data_volume "$DATA_VOLUME")
-    echo "  # Remove the Postgres volume FIRST, before deleting the override file:"
-    echo "  docker volume rm $pg_volume"
-    echo "  # Restore SQLite from the backup created during this run:"
-    echo "  docker run --rm -v ${data_volume_actual}:/var/lib/netbird -v ${BACKUP_DIR}:/backup busybox sh -c 'cp -a /backup/. /var/lib/netbird/'"
-  fi
-  echo "  rm -f $OVERRIDE_FILE $ENTERPRISE_CONFIG_FILE"
-  echo "  # Remove migrate-to-enterprise.sh additions from .env (search for the timestamp marker)"
-  echo "  $DOCKER_COMPOSE_COMMAND up -d"
-  echo "──────────────────────────────────────────────────────────────────────"
-}
-
-# ---------------------------------------------------------------------------
-# Run
-# ---------------------------------------------------------------------------
-
-init_migration
-apply_changes
-print_summary
--- a/management/Dockerfile
+++ b/management/Dockerfile
@@ -2,5 +2,4 @@ FROM ubuntu:24.04
 RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
 ENTRYPOINT [ "/go/bin/netbird-mgmt","management"]
 CMD ["--log-file", "console"]
-ARG TARGETPLATFORM
-COPY ${TARGETPLATFORM}/netbird-mgmt /go/bin/netbird-mgmt
+COPY netbird-mgmt /go/bin/netbird-mgmt
--- a/management/Dockerfile.debug
+++ b/management/Dockerfile.debug
@@ -0,0 +1,5 @@
+FROM ubuntu:24.04
+RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
+ENTRYPOINT [ "/go/bin/netbird-mgmt","management","--log-level","debug"]
+CMD ["--log-file", "console"]
+COPY netbird-mgmt /go/bin/netbird-mgmt
--- a/management/internals/controllers/network_map/controller/controller.go
+++ b/management/internals/controllers/network_map/controller/controller.go
@@ -585,66 +585,66 @@ func (b *bufferAffectedUpdate) setTimer(d time.Duration, f func()) {
 	b.next.Reset(d)
 }

-func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresApproval bool, accountID string, peerID string) (*types.NetworkMap, []*posture.Checks, int64, error) {
+func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresApproval bool, accountID string, peer *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
 	if isRequiresApproval {
 		network, err := c.repo.GetAccountNetwork(ctx, accountID)
 		if err != nil {
-			return nil, nil, 0, err
+			return nil, nil, nil, 0, err
 		}

 		emptyMap := &types.NetworkMap{
 			Network: network.Copy(),
 		}
-		return emptyMap, nil, 0, nil
+		return peer, emptyMap, nil, 0, nil
 	}

 	account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
 	if err != nil {
-		return nil, nil, 0, err
+		return nil, nil, nil, 0, err
 	}

 	account.InjectProxyPolicies(ctx)

 	approvedPeersMap, err := c.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
 	if err != nil {
-		return nil, nil, 0, err
+		return nil, nil, nil, 0, err
 	}

 	startPosture := time.Now()
-	postureChecks, err := c.getPeerPostureChecks(account, peerID)
+	postureChecks, err := c.getPeerPostureChecks(account, peer.ID)
 	if err != nil {
-		return nil, nil, 0, err
+		return nil, nil, nil, 0, err
 	}
 	log.WithContext(ctx).Debugf("getPeerPostureChecks took %s", time.Since(startPosture))

 	accountZones, err := c.repo.GetAccountZones(ctx, account.Id)
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to get account zones: %v", err)
-		return nil, nil, 0, err
+		return nil, nil, nil, 0, err
 	}

 	dnsDomain := c.GetDNSDomain(account.Settings)
 	peersCustomZone := account.GetPeersCustomZone(ctx, dnsDomain)

-	proxyNetworkMaps, err := c.proxyController.GetProxyNetworkMaps(ctx, account.Id, peerID, account.Peers)
+	proxyNetworkMaps, err := c.proxyController.GetProxyNetworkMaps(ctx, account.Id, peer.ID, account.Peers)
 	if err != nil {
 		log.WithContext(ctx).Errorf("failed to get proxy network maps: %v", err)
-		return nil, nil, 0, err
+		return nil, nil, nil, 0, err
 	}

 	resourcePolicies := account.GetResourcePoliciesMap()
 	routers := account.GetResourceRoutersMap()
 	groupIDToUserIDs := account.GetActiveGroupUsers()
-	networkMap := account.GetPeerNetworkMapFromComponents(ctx, peerID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
+	networkMap := account.GetPeerNetworkMapFromComponents(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)

-	proxyNetworkMap, ok := proxyNetworkMaps[peerID]
+	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
 		networkMap.Merge(proxyNetworkMap)
 	}

 	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), network_map.DnsForwarderPortMinVersion)

-	return networkMap, postureChecks, dnsFwdPort, nil
+	return peer, networkMap, postureChecks, dnsFwdPort, nil
 }

 // GetDNSDomain returns the configured dnsDomain
--- a/management/internals/controllers/network_map/interface.go
+++ b/management/internals/controllers/network_map/interface.go
@@ -23,7 +23,7 @@ type Controller interface {
 	BufferUpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason) error
 	UpdateAccountPeer(ctx context.Context, accountId string, peerId string) error
 	BufferUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error
-	GetValidatedPeerWithMap(ctx context.Context, isRequiresApproval bool, accountID string, peerID string) (*types.NetworkMap, []*posture.Checks, int64, error)
+	GetValidatedPeerWithMap(ctx context.Context, isRequiresApproval bool, accountID string, p *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error)
 	GetDNSDomain(settings *types.Settings) string
 	StartWarmup(context.Context)
 	GetNetworkMap(ctx context.Context, peerID string) (*types.NetworkMap, error)
--- a/management/internals/controllers/network_map/interface_mock.go
+++ b/management/internals/controllers/network_map/interface_mock.go
@@ -127,20 +127,21 @@ func (mr *MockControllerMockRecorder) GetNetworkMap(ctx, peerID any) *gomock.Cal
 }

 // GetValidatedPeerWithMap mocks base method.
-func (m *MockController) GetValidatedPeerWithMap(ctx context.Context, isRequiresApproval bool, accountID string, peerID string) (*types.NetworkMap, []*posture.Checks, int64, error) {
+func (m *MockController) GetValidatedPeerWithMap(ctx context.Context, isRequiresApproval bool, accountID string, p *peer.Peer) (*peer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetValidatedPeerWithMap", ctx, isRequiresApproval, accountID, peerID)
-	ret0, _ := ret[0].(*types.NetworkMap)
-	ret1, _ := ret[1].([]*posture.Checks)
-	ret2, _ := ret[2].(int64)
-	ret3, _ := ret[3].(error)
-	return ret0, ret1, ret2, ret3
+	ret := m.ctrl.Call(m, "GetValidatedPeerWithMap", ctx, isRequiresApproval, accountID, p)
+	ret0, _ := ret[0].(*peer.Peer)
+	ret1, _ := ret[1].(*types.NetworkMap)
+	ret2, _ := ret[2].([]*posture.Checks)
+	ret3, _ := ret[3].(int64)
+	ret4, _ := ret[4].(error)
+	return ret0, ret1, ret2, ret3, ret4
 }

 // GetValidatedPeerWithMap indicates an expected call of GetValidatedPeerWithMap.
-func (mr *MockControllerMockRecorder) GetValidatedPeerWithMap(ctx, isRequiresApproval, accountID, peerID any) *gomock.Call {
+func (mr *MockControllerMockRecorder) GetValidatedPeerWithMap(ctx, isRequiresApproval, accountID, p any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetValidatedPeerWithMap", reflect.TypeOf((*MockController)(nil).GetValidatedPeerWithMap), ctx, isRequiresApproval, accountID, peerID)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetValidatedPeerWithMap", reflect.TypeOf((*MockController)(nil).GetValidatedPeerWithMap), ctx, isRequiresApproval, accountID, p)
 }

 // OnPeerConnected mocks base method.
--- a/management/internals/modules/peers/manager.go
+++ b/management/internals/modules/peers/manager.go
@@ -242,7 +242,7 @@ func (m *managerImpl) CreateProxyPeer(ctx context.Context, accountID string, pee
 		},
 	}

-	_, _, _, _, err = m.accountManager.AddPeer(ctx, accountID, "", "", peer, true)
+	_, _, _, err = m.accountManager.AddPeer(ctx, accountID, "", "", peer, true)
 	if err != nil {
 		return fmt.Errorf("failed to create proxy peer: %w", err)
 	}
--- a/management/internals/modules/reverseproxy/service/manager/manager_test.go
+++ b/management/internals/modules/reverseproxy/service/manager/manager_test.go
@@ -434,7 +434,7 @@ func TestDeletePeerService_SourcePeerValidation(t *testing.T) {
 		t.Helper()
 		tokenStore := nbgrpc.NewOneTimeTokenStore(context.Background(), testCacheStore(t))
 		pkceStore := nbgrpc.NewPKCEVerifierStore(context.Background(), testCacheStore(t))
-		srv := nbgrpc.NewProxyServiceServer(nil, tokenStore, pkceStore, nbgrpc.ProxyOIDCConfig{}, nil, nil, nil, nil, nil)
+		srv := nbgrpc.NewProxyServiceServer(nil, tokenStore, pkceStore, nbgrpc.ProxyOIDCConfig{}, nil, nil, nil, nil)
 		return srv
 	}

@@ -723,7 +723,7 @@ func setupIntegrationTest(t *testing.T) (*Manager, store.Store) {

 	tokenStore := nbgrpc.NewOneTimeTokenStore(ctx, testCacheStore(t))
 	pkceStore := nbgrpc.NewPKCEVerifierStore(ctx, testCacheStore(t))
-	proxySrv := nbgrpc.NewProxyServiceServer(nil, tokenStore, pkceStore, nbgrpc.ProxyOIDCConfig{}, nil, nil, nil, nil, nil)
+	proxySrv := nbgrpc.NewProxyServiceServer(nil, tokenStore, pkceStore, nbgrpc.ProxyOIDCConfig{}, nil, nil, nil, nil)

 	proxyController, err := proxymanager.NewGRPCController(proxySrv, noop.NewMeterProvider().Meter(""))
 	require.NoError(t, err)
@@ -1147,7 +1147,7 @@ func TestDeleteService_DeletesTargets(t *testing.T) {

 	tokenStore := nbgrpc.NewOneTimeTokenStore(ctx, testCacheStore(t))
 	pkceStore := nbgrpc.NewPKCEVerifierStore(ctx, testCacheStore(t))
-	proxySrv := nbgrpc.NewProxyServiceServer(nil, tokenStore, pkceStore, nbgrpc.ProxyOIDCConfig{}, nil, nil, nil, nil, nil)
+	proxySrv := nbgrpc.NewProxyServiceServer(nil, tokenStore, pkceStore, nbgrpc.ProxyOIDCConfig{}, nil, nil, nil, nil)

 	proxyController, err := proxymanager.NewGRPCController(proxySrv, noop.NewMeterProvider().Meter(""))
 	require.NoError(t, err)
--- a/management/internals/server/boot.go
+++ b/management/internals/server/boot.go
@@ -120,7 +120,7 @@ func (s *BaseServer) EventStore() activity.Store {

 func (s *BaseServer) APIHandler() http.Handler {
 	return Create(s, func() http.Handler {
-		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.Router(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.PermissionsManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ServiceManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer(), s.Config.ReverseProxy.TrustedHTTPProxies, s.RateLimiter(), s.IsValidChildAccount)
+		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.Router(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.Metrics(), s.PermissionsManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.InstanceManager(), s.ServiceManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer(), s.Config.ReverseProxy.TrustedHTTPProxies, s.AuthMiddleware())
 		if err != nil {
 			log.Fatalf("failed to create API handler: %v", err)
 		}
@@ -153,6 +153,20 @@ func (s *BaseServer) RateLimiter() *middleware.APIRateLimiter {
 	})
 }

+func (s *BaseServer) AuthMiddleware() mux.MiddlewareFunc {
+	return Create(s, func() mux.MiddlewareFunc {
+		m := middleware.NewAuthMiddleware(
+			s.AuthManager(),
+			s.AccountManager().GetAccountIDFromUserAuth,
+			s.AccountManager().SyncUserJWTGroups,
+			s.AccountManager().GetUserFromUserAuth,
+			s.RateLimiter(),
+			s.Metrics().GetMeter(),
+		)
+		return m.Handler
+	})
+}
+
 func (s *BaseServer) GRPCServer() *grpc.Server {
 	return Create(s, func() *grpc.Server {
 		trustedPeers := s.Config.ReverseProxy.TrustedPeers
@@ -219,7 +233,7 @@ func (s *BaseServer) GRPCServer() *grpc.Server {

 func (s *BaseServer) ReverseProxyGRPCServer() *nbgrpc.ProxyServiceServer {
 	return Create(s, func() *nbgrpc.ProxyServiceServer {
-		proxyService := nbgrpc.NewProxyServiceServer(s.AccessLogsManager(), s.ProxyTokenStore(), s.PKCEVerifierStore(), s.proxyOIDCConfig(), s.PeersManager(), s.UsersManager(), s.IdpManager(), s.ProxyManager(), s.Store())
+		proxyService := nbgrpc.NewProxyServiceServer(s.AccessLogsManager(), s.ProxyTokenStore(), s.PKCEVerifierStore(), s.proxyOIDCConfig(), s.PeersManager(), s.UsersManager(), s.ProxyManager(), s.Store())
 		s.AfterInit(func(s *BaseServer) {
 			proxyService.SetServiceManager(s.ServiceManager())
 			proxyService.SetProxyController(s.ServiceProxyController())
--- a/management/internals/server/modules.go
+++ b/management/internals/server/modules.go
@@ -23,6 +23,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/geolocation"
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/idp"
+	"github.com/netbirdio/netbird/management/server/instance"
 	"github.com/netbirdio/netbird/management/server/networks"
 	"github.com/netbirdio/netbird/management/server/networks/resources"
 	"github.com/netbirdio/netbird/management/server/networks/routers"
@@ -151,6 +152,16 @@ func (s *BaseServer) IdpManager() idp.Manager {
 	})
 }

+func (s *BaseServer) InstanceManager() instance.Manager {
+	return Create(s, func() instance.Manager {
+		m, err := instance.NewManager(context.Background(), s.Store(), s.IdpManager())
+		if err != nil {
+			log.Fatalf("failed to create instance manager: %v", err)
+		}
+		return m
+	})
+}
+
 // OAuthConfigProvider is only relevant when we have an embedded IdP service. Otherwise must be nil
 func (s *BaseServer) OAuthConfigProvider() idp.OAuthConfigProvider {
 	if s.Config.EmbeddedIdP == nil || !s.Config.EmbeddedIdP.Enabled {
@@ -229,6 +240,3 @@ func (s *BaseServer) ReverseProxyDomainManager() *manager.Manager {
 	})
 }

-func (s *BaseServer) IsValidChildAccount(_ context.Context, _, _, _ string) bool {
-	return false
-}
--- a/management/internals/shared/grpc/conversion.go
+++ b/management/internals/shared/grpc/conversion.go
@@ -14,8 +14,6 @@ import (
 	goproto "google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/timestamppb"

-	integrationsConfig "github.com/netbirdio/management-integrations/integrations/config"
-
 	"github.com/netbirdio/netbird/client/ssh/auth"

 	nbdns "github.com/netbirdio/netbird/dns"
@@ -166,9 +164,7 @@ func ToSyncResponse(ctx context.Context, config *nbconfig.Config, httpConfig *nb
 		Checks: toProtocolChecks(ctx, checks),
 	}

-	nbConfig := toNetbirdConfig(config, turnCredentials, relayCredentials, extraSettings)
-	extendedConfig := integrationsConfig.ExtendNetBirdConfig(peer.ID, peerGroups, nbConfig, extraSettings)
-	response.NetbirdConfig = extendedConfig
+	response.NetbirdConfig = toNetbirdConfig(config, turnCredentials, relayCredentials, extraSettings)

 	response.NetworkMap.PeerConfig = response.PeerConfig

--- a/management/internals/shared/grpc/proxy.go
+++ b/management/internals/shared/grpc/proxy.go
@@ -33,8 +33,6 @@ import (
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy"
 	rpservice "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/sessionkey"
-	"github.com/netbirdio/netbird/management/server/idp"
-	"github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/management/server/users"
 	proxyauth "github.com/netbirdio/netbird/proxy/auth"
@@ -84,9 +82,6 @@ type ProxyServiceServer struct {
 	// Manager for users
 	usersManager users.Manager

-	// Manager for IdP-enriched user data (may be nil when no IdP is configured)
-	idpManager idp.Manager
-
 	// Store for one-time authentication tokens
 	tokenStore *OneTimeTokenStore

@@ -162,7 +157,7 @@ func enforceAccountScope(ctx context.Context, requestAccountID string) error {
 }

 // NewProxyServiceServer creates a new proxy service server.
-func NewProxyServiceServer(accessLogMgr accesslogs.Manager, tokenStore *OneTimeTokenStore, pkceStore *PKCEVerifierStore, oidcConfig ProxyOIDCConfig, peersManager peers.Manager, usersManager users.Manager, idpManager idp.Manager, proxyMgr proxy.Manager, tokenChecker ProxyTokenChecker) *ProxyServiceServer {
+func NewProxyServiceServer(accessLogMgr accesslogs.Manager, tokenStore *OneTimeTokenStore, pkceStore *PKCEVerifierStore, oidcConfig ProxyOIDCConfig, peersManager peers.Manager, usersManager users.Manager, proxyMgr proxy.Manager, tokenChecker ProxyTokenChecker) *ProxyServiceServer {
 	ctx, cancel := context.WithCancel(context.Background())
 	s := &ProxyServiceServer{
 		accessLogManager:  accessLogMgr,
@@ -171,7 +166,6 @@ func NewProxyServiceServer(accessLogMgr accesslogs.Manager, tokenStore *OneTimeT
 		pkceVerifierStore: pkceStore,
 		peersManager:      peersManager,
 		usersManager:      usersManager,
-		idpManager:        idpManager,
 		proxyManager:      proxyMgr,
 		tokenChecker:      tokenChecker,
 		snapshotBatchSize: snapshotBatchSizeFromEnv(),
@@ -1708,7 +1702,22 @@ func (s *ProxyServiceServer) ValidateTunnelPeer(ctx context.Context, req *proto.
 	}

 	groupIDs, groupNames := pairGroupIDsAndNames(peerGroups)
-	principalID, displayIdentity := s.getTunnelPeerInfo(ctx, domain, service, peer)
+
+	// Resolve the principal: when the peer is linked to a user, the human
+	// is the principal so multiple peers owned by the same user share a
+	// single identity. Unlinked peers (machine agents) are their own
+	// principal keyed on peer.ID. displayIdentity is what upstream gateways
+	// tag spend with — user.Email when linked, peer.Name when not.
+	principalID := peer.ID
+	displayIdentity := peer.Name
+	if peer.UserID != "" {
+		if user, uerr := s.usersManager.GetUser(ctx, peer.UserID); uerr == nil && user != nil {
+			principalID = user.Id
+			if user.Email != "" {
+				displayIdentity = user.Email
+			}
+		}
+	}

 	if err := checkPeerGroupAccess(service, groupIDs); err != nil {
 		log.WithFields(log.Fields{"domain": domain, "peer_id": peer.ID, "error": err.Error()}).Debug("ValidateTunnelPeer: access denied")
@@ -1745,45 +1754,6 @@ func (s *ProxyServiceServer) ValidateTunnelPeer(ctx context.Context, req *proto.
 	}, nil
 }

-// getTunnelPeerInfo returns the principal ID and display name for a peer, e.g. a
-// user or peer ID, and peer name or user email.
-func (s *ProxyServiceServer) getTunnelPeerInfo(ctx context.Context, domain string, service *rpservice.Service, peer *peer.Peer) (string, string) {
-	// Resolve the principal: when the peer is linked to a user, the human is the
-	// principal so multiple peers owned by the same user share a single
-	// identity. Unlinked peers (machine agents) are their own principal keyed on
-	// peer.ID. displayIdentity is what upstream gateways tag spend with —
-	// user.Email when linked, peer.Name when not.
-
-	// If the peer isn't associated with a user, return the peer info directly.
-	if peer.UserID == "" {
-		return peer.ID, peer.Name
-	}
-
-	// Otherwise, if the peer is linked to a user, the user is the principal and
-	// if an IdP is available, we gather details on the user from it.
-	principalID := peer.UserID
-	displayIdentity := peer.Name
-	// Stored column first (cheap, but often empty for OIDC-provisioned users).
-	if user, uerr := s.usersManager.GetUser(ctx, peer.UserID); uerr == nil && user != nil {
-		principalID = user.Id
-		if user.Email != "" {
-			displayIdentity = user.Email
-		}
-	}
-	// IdP enrichment wins when available — the stored email column is a
-	// best-effort cache and is frequently empty for OIDC users. Enrichment
-	// failures must never fail the RPC; we simply keep the stored/peer identity.
-	if s.idpManager != nil {
-		if ud, uerr := s.idpManager.GetUserDataByID(ctx, peer.UserID, idp.AppMetadata{WTAccountID: service.AccountID}); uerr == nil && ud != nil && ud.Email != "" {
-			displayIdentity = ud.Email
-		} else if uerr != nil {
-			log.WithFields(log.Fields{"domain": domain, "user_id": peer.UserID, "error": uerr.Error()}).Debug("ValidateTunnelPeer: IdP user enrichment failed; using stored/peer identity")
-		}
-	}
-
-	return principalID, displayIdentity
-}
-
 // checkPeerGroupAccess gates ValidateTunnelPeer by the service's required
 // groups. Private services authorise against AccessGroups (empty list fails
 // closed — Validate() rejects that at save time but the RPC is the security
--- a/management/internals/shared/grpc/proxy_group_access_test.go
+++ b/management/internals/shared/grpc/proxy_group_access_test.go
@@ -3,19 +3,14 @@ package grpc
 import (
 	"context"
 	"errors"
-	"net"
 	"testing"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	"github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
-	"github.com/netbirdio/netbird/management/server/idp"
-	"github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/management/proto"
 )

 type mockReverseProxyManager struct {
@@ -142,52 +137,6 @@ func (m *mockUsersManager) GetUserWithGroups(ctx context.Context, userID string)
 	return user, nil, nil
 }

-// mockTunnelPeersManager implements only the two peers.Manager methods that
-// ValidateTunnelPeer calls; the embedded interface satisfies the rest (and
-// panics if any unexpected method is invoked).
-type mockTunnelPeersManager struct {
-	peers.Manager
-	peer      *peer.Peer
-	peerErr   error
-	groups    []*types.Group
-	groupsErr error
-}
-
-func (m *mockTunnelPeersManager) GetPeerByTunnelIP(_ context.Context, _ string, _ net.IP) (*peer.Peer, error) {
-	return m.peer, m.peerErr
-}
-
-func (m *mockTunnelPeersManager) GetPeerWithGroups(_ context.Context, _, _ string) (*peer.Peer, []*types.Group, error) {
-	return m.peer, m.groups, m.groupsErr
-}
-
-// mockTunnelIdpManager implements only GetUserDataByID; the embedded interface
-// satisfies the rest of idp.Manager. hasData==false returns (nil, nil) to model
-// an IdP that knows nothing about the user.
-type mockTunnelIdpManager struct {
-	idp.Manager
-	email    string
-	hasData  bool
-	err      error
-	gotCalls int
-	gotMeta  []idp.AppMetadata
-}
-
-func (m *mockTunnelIdpManager) GetUserDataByID(_ context.Context, userID string, meta idp.AppMetadata) (*idp.UserData, error) {
-	m.gotCalls++
-	m.gotMeta = append(m.gotMeta, meta)
-	if m.err != nil {
-		return nil, m.err
-	}
-	if !m.hasData {
-		// This might not be a thing any of the actual IDP implementations do,
-		// i.e. return a nil value with no error, but it seems valuable to test
-		// that behavior here.
-		return nil, nil //nolint:nilnil
-	}
-	return &idp.UserData{ID: userID, Email: m.email}, nil
-}
-
 func TestValidateUserGroupAccess(t *testing.T) {
 	tests := []struct {
 		name             string
@@ -405,163 +354,6 @@ func TestValidateUserGroupAccess(t *testing.T) {
 	}
 }

-// TestValidateTunnelPeerUserEmailEnrichment verifies the UserEmail/UserId
-// resolution in ValidateTunnelPeer, including the IdP-enrichment fallback order
-// (IdP email -> stored User.Email -> peer.Name).
-func TestValidateTunnelPeerUserEmailEnrichment(t *testing.T) {
-	const (
-		domain    = "app.example.com"
-		accountID = "account1"
-		peerID    = "peer1"
-		peerName  = "peer-display-name"
-		userID    = "user1"
-	)
-
-	storedUser := map[string]*types.User{userID: {Id: userID, AccountID: accountID, Email: "stored@example.com"}}
-	storedUserNoEmail := map[string]*types.User{userID: {Id: userID, AccountID: accountID, Email: ""}}
-
-	tests := []struct {
-		name         string
-		peerUserID   string
-		storedUsers  map[string]*types.User
-		storedErr    error
-		noIdP        bool
-		idpEmail     string
-		idpHasData   bool
-		idpErr       error
-		expectEmail  string
-		expectUserID string
-		expectIdPHit bool
-	}{
-		{
-			name:         "idp email wins over stored email",
-			peerUserID:   userID,
-			storedUsers:  storedUser,
-			idpEmail:     "idp@example.com",
-			idpHasData:   true,
-			expectEmail:  "idp@example.com",
-			expectUserID: userID,
-			expectIdPHit: true,
-		},
-		{
-			name:         "stored email when idp returns empty email",
-			peerUserID:   userID,
-			storedUsers:  storedUser,
-			idpEmail:     "",
-			idpHasData:   true,
-			expectEmail:  "stored@example.com",
-			expectUserID: userID,
-			expectIdPHit: true,
-		},
-		{
-			name:         "stored email when idp has no data",
-			peerUserID:   userID,
-			storedUsers:  storedUser,
-			idpHasData:   false,
-			expectEmail:  "stored@example.com",
-			expectUserID: userID,
-			expectIdPHit: true,
-		},
-		{
-			name:         "stored email when idp errors",
-			peerUserID:   userID,
-			storedUsers:  storedUser,
-			idpErr:       errors.New("idp unreachable"),
-			expectEmail:  "stored@example.com",
-			expectUserID: userID,
-			expectIdPHit: true,
-		},
-		{
-			name:         "stored email when no idp manager",
-			peerUserID:   userID,
-			storedUsers:  storedUser,
-			noIdP:        true,
-			expectEmail:  "stored@example.com",
-			expectUserID: userID,
-		},
-		{
-			name:         "idp email when stored email is empty",
-			peerUserID:   userID,
-			storedUsers:  storedUserNoEmail,
-			idpEmail:     "idp@example.com",
-			idpHasData:   true,
-			expectEmail:  "idp@example.com",
-			expectUserID: userID,
-			expectIdPHit: true,
-		},
-		{
-			name:         "idp email when stored user missing keeps peer.UserID as principal",
-			peerUserID:   userID,
-			storedUsers:  map[string]*types.User{},
-			idpEmail:     "idp@example.com",
-			idpHasData:   true,
-			expectEmail:  "idp@example.com",
-			expectUserID: userID,
-			expectIdPHit: true,
-		},
-		{
-			name:         "unlinked peer uses peer name and never consults idp",
-			peerUserID:   "",
-			storedUsers:  storedUser,
-			idpEmail:     "idp@example.com",
-			idpHasData:   true,
-			expectEmail:  peerName,
-			expectUserID: peerID,
-			expectIdPHit: false,
-		},
-		{
-			name:         "linked peer with empty stored email and no idp falls back to peer name",
-			peerUserID:   userID,
-			storedUsers:  storedUserNoEmail,
-			noIdP:        true,
-			expectEmail:  peerName,
-			expectUserID: userID,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			svc := &service.Service{Domain: domain, AccountID: accountID}
-			server := &ProxyServiceServer{
-				serviceManager: &mockReverseProxyManager{
-					proxiesByAccount: map[string][]*service.Service{accountID: {svc}},
-				},
-				peersManager: &mockTunnelPeersManager{
-					peer: &peer.Peer{ID: peerID, Name: peerName, UserID: tt.peerUserID},
-				},
-				usersManager: &mockUsersManager{users: tt.storedUsers, err: tt.storedErr},
-			}
-
-			var idpMock *mockTunnelIdpManager
-			if !tt.noIdP {
-				idpMock = &mockTunnelIdpManager{email: tt.idpEmail, hasData: tt.idpHasData, err: tt.idpErr}
-				server.idpManager = idpMock
-			}
-
-			resp, err := server.ValidateTunnelPeer(context.Background(), &proto.ValidateTunnelPeerRequest{
-				Domain:   domain,
-				TunnelIp: "100.64.0.1",
-			})
-
-			require.NoError(t, err)
-			require.NotNil(t, resp)
-			assert.True(t, resp.GetValid(), "expected access granted")
-			assert.Equal(t, tt.expectEmail, resp.GetUserEmail())
-			assert.Equal(t, tt.expectUserID, resp.GetUserId())
-
-			if idpMock != nil {
-				if tt.expectIdPHit {
-					assert.Equal(t, 1, idpMock.gotCalls, "expected IdP to be consulted")
-					require.Len(t, idpMock.gotMeta, 1)
-					assert.Equal(t, accountID, idpMock.gotMeta[0].WTAccountID)
-				} else {
-					assert.Equal(t, 0, idpMock.gotCalls, "expected IdP to not be consulted")
-				}
-			}
-		})
-	}
-}
-
 func TestGetAccountProxyByDomain(t *testing.T) {
 	tests := []struct {
 		name             string
--- a/management/internals/shared/grpc/server.go
+++ b/management/internals/shared/grpc/server.go
@@ -778,7 +778,7 @@ func (s *Server) Login(ctx context.Context, req *proto.EncryptedMessage) (*proto
 		sshKey = loginReq.GetPeerKeys().GetSshPubKey()
 	}

-	peer, network, postureChecks, enableSSH, err := s.accountManager.LoginPeer(ctx, types.PeerLogin{
+	peer, netMap, postureChecks, err := s.accountManager.LoginPeer(ctx, types.PeerLogin{
 		WireGuardPubKey: peerKey.String(),
 		SSHKey:          string(sshKey),
 		Meta:            peerMeta,
@@ -792,7 +792,7 @@ func (s *Server) Login(ctx context.Context, req *proto.EncryptedMessage) (*proto
 		return nil, mapError(ctx, err)
 	}

-	loginResp, err := s.prepareLoginResponse(ctx, peer, network, postureChecks, enableSSH)
+	loginResp, err := s.prepareLoginResponse(ctx, peer, netMap, postureChecks)
 	if err != nil {
 		log.WithContext(ctx).Warnf("failed preparing login response for peer %s: %s", peerKey, err)
 		return nil, status.Errorf(codes.Internal, "failed logging in peer")
@@ -895,7 +895,7 @@ func (s *Server) ExtendAuthSession(ctx context.Context, req *proto.EncryptedMess
 	}, nil
 }

-func (s *Server) prepareLoginResponse(ctx context.Context, peer *nbpeer.Peer, network *types.Network, postureChecks []*posture.Checks, enableSSH bool) (*proto.LoginResponse, error) {
+func (s *Server) prepareLoginResponse(ctx context.Context, peer *nbpeer.Peer, netMap *types.NetworkMap, postureChecks []*posture.Checks) (*proto.LoginResponse, error) {
 	var relayToken *Token
 	var err error
 	if s.config.Relay != nil && len(s.config.Relay.Addresses) > 0 {
@@ -914,7 +914,7 @@ func (s *Server) prepareLoginResponse(ctx context.Context, peer *nbpeer.Peer, ne
 	// if peer has reached this point then it has logged in
 	loginResp := &proto.LoginResponse{
 		NetbirdConfig: toNetbirdConfig(s.config, nil, relayToken, nil),
-		PeerConfig:    toPeerConfig(peer, network, s.networkMapController.GetDNSDomain(settings), settings, s.config.HttpConfig, s.config.DeviceAuthorizationFlow, enableSSH),
+		PeerConfig:    toPeerConfig(peer, netMap.Network, s.networkMapController.GetDNSDomain(settings), settings, s.config.HttpConfig, s.config.DeviceAuthorizationFlow, netMap.EnableSSH),
 		Checks:        toProtocolChecks(ctx, postureChecks),
 	}

@@ -1205,7 +1205,7 @@ func (s *Server) SyncMeta(ctx context.Context, req *proto.EncryptedMessage) (*pr
 		return nil, msg
 	}

-	err = s.accountManager.SyncPeerMeta(ctx, peerKey.String(), extractPeerMeta(ctx, syncMetaReq.GetMeta()), realIP)
+	err = s.accountManager.SyncPeerMeta(ctx, peerKey.String(), extractPeerMeta(ctx, syncMetaReq.GetMeta()))
 	if err != nil {
 		return nil, mapError(ctx, err)
 	}
@@ -1254,10 +1254,7 @@ func (s *Server) Logout(ctx context.Context, req *proto.EncryptedMessage) (*prot
 func toProtocolChecks(ctx context.Context, postureChecks []*posture.Checks) []*proto.Checks {
 	protoChecks := make([]*proto.Checks, 0, len(postureChecks))
 	for _, postureCheck := range postureChecks {
-		check := toProtocolCheck(postureCheck)
-		if check != nil {
-			protoChecks = append(protoChecks, check)
-		}
+		protoChecks = append(protoChecks, toProtocolCheck(postureCheck))
 	}

 	return protoChecks
@@ -1281,9 +1278,5 @@ func toProtocolCheck(postureCheck *posture.Checks) *proto.Checks {
 		}
 	}

-	if len(protoCheck.Files) == 0 {
-		return nil
-	}
-
 	return protoCheck
 }
--- a/management/internals/shared/grpc/token_mgr.go
+++ b/management/internals/shared/grpc/token_mgr.go
@@ -12,7 +12,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

-	integrationsConfig "github.com/netbirdio/management-integrations/integrations/config"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/groups"
@@ -41,8 +40,6 @@ type TimeBasedAuthSecretsManager struct {
 	turnHmacToken   *auth.TimedHMAC
 	relayHmacToken  *authv2.Generator
 	updateManager   network_map.PeersUpdateManager
-	settingsManager settings.Manager
-	groupsManager   groups.Manager
 	turnCancelMap   map[string]chan struct{}
 	relayCancelMap  map[string]chan struct{}
 	wgKey           wgtypes.Key
@@ -62,8 +59,6 @@ func NewTimeBasedAuthSecretsManager(updateManager network_map.PeersUpdateManager
 		relayCfg:        relayCfg,
 		turnCancelMap:   make(map[string]chan struct{}),
 		relayCancelMap:  make(map[string]chan struct{}),
-		settingsManager: settingsManager,
-		groupsManager:   groupsManager,
 		wgKey:           key,
 	}

@@ -239,8 +234,6 @@ func (m *TimeBasedAuthSecretsManager) pushNewTURNAndRelayTokens(ctx context.Cont
 		}
 	}

-	m.extendNetbirdConfig(ctx, peerID, accountID, update)
-
 	log.WithContext(ctx).Debugf("sending new TURN credentials to peer %s", peerID)
 	m.updateManager.SendUpdate(ctx, peerID, &network_map.UpdateMessage{
 		Update:      update,
@@ -266,26 +259,9 @@ func (m *TimeBasedAuthSecretsManager) pushNewRelayTokens(ctx context.Context, ac
 		},
 	}

-	m.extendNetbirdConfig(ctx, peerID, accountID, update)
-
 	log.WithContext(ctx).Debugf("sending new relay credentials to peer %s", peerID)
 	m.updateManager.SendUpdate(ctx, peerID, &network_map.UpdateMessage{
 		Update:      update,
 		MessageType: network_map.MessageTypeControlConfig,
 	})
 }
-
-func (m *TimeBasedAuthSecretsManager) extendNetbirdConfig(ctx context.Context, peerID, accountID string, update *proto.SyncResponse) {
-	extraSettings, err := m.settingsManager.GetExtraSettings(ctx, accountID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get extra settings: %v", err)
-	}
-
-	peerGroups, err := m.groupsManager.GetPeerGroupIDs(ctx, accountID, peerID)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get peer groups: %v", err)
-	}
-
-	extendedConfig := integrationsConfig.ExtendNetBirdConfig(peerID, peerGroups, update.NetbirdConfig, extraSettings)
-	update.NetbirdConfig = extendedConfig
-}
--- a/management/internals/shared/grpc/validate_session_test.go
+++ b/management/internals/shared/grpc/validate_session_test.go
@@ -42,7 +42,7 @@ func setupValidateSessionTest(t *testing.T) *validateSessionTestSetup {
 	tokenStore := NewOneTimeTokenStore(ctx, testCacheStore(t))
 	pkceStore := NewPKCEVerifierStore(ctx, testCacheStore(t))

-	proxyService := NewProxyServiceServer(nil, tokenStore, pkceStore, ProxyOIDCConfig{}, nil, usersManager, nil, proxyManager, nil)
+	proxyService := NewProxyServiceServer(nil, tokenStore, pkceStore, ProxyOIDCConfig{}, nil, usersManager, proxyManager, nil)
 	proxyService.SetServiceManager(serviceManager)

 	createTestProxies(t, ctx, testStore)
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -1889,12 +1889,12 @@ func domainIsUpToDate(domain string, domainCategory string, userAuth auth.UserAu
 // concurrent stream that started earlier loses the optimistic-lock race
 // in MarkPeerConnected and bails without writing.
 func (am *DefaultAccountManager) SyncAndMarkPeer(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP, syncTime time.Time) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, int64, error) {
-	peer, netMap, postureChecks, dnsfwdPort, err := am.SyncPeer(ctx, types.PeerSync{WireGuardPubKey: peerPubKey, Meta: meta, RealIP: realIP}, accountID)
+	peer, netMap, postureChecks, dnsfwdPort, err := am.SyncPeer(ctx, types.PeerSync{WireGuardPubKey: peerPubKey, Meta: meta}, accountID)
 	if err != nil {
 		return nil, nil, nil, 0, fmt.Errorf("error syncing peer: %w", err)
 	}

-	if err := am.MarkPeerConnected(ctx, peerPubKey, accountID, syncTime.UnixNano(), netMap); err != nil {
+	if err := am.MarkPeerConnected(ctx, peerPubKey, realIP, accountID, syncTime.UnixNano(), netMap); err != nil {
 		log.WithContext(ctx).Warnf("failed marking peer as connected %s %v", peerPubKey, err)
 	}

@@ -1914,13 +1914,13 @@ func (am *DefaultAccountManager) OnPeerDisconnected(ctx context.Context, account
 	return nil
 }

-func (am *DefaultAccountManager) SyncPeerMeta(ctx context.Context, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP) error {
+func (am *DefaultAccountManager) SyncPeerMeta(ctx context.Context, peerPubKey string, meta nbpeer.PeerSystemMeta) error {
 	accountID, err := am.Store.GetAccountIDByPeerPubKey(ctx, peerPubKey)
 	if err != nil {
 		return err
 	}

-	_, _, _, _, err = am.SyncPeer(ctx, types.PeerSync{WireGuardPubKey: peerPubKey, Meta: meta, RealIP: realIP, UpdateAccountPeers: true}, accountID)
+	_, _, _, _, err = am.SyncPeer(ctx, types.PeerSync{WireGuardPubKey: peerPubKey, Meta: meta, UpdateAccountPeers: true}, accountID)
 	if err != nil {
 		return err
 	}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
bcmmbaga	4edb944051	Merge branch 'main' into refactor/mgmt-bootstrap	2026-06-16 17:17:03 +03:00
bcmmbaga	37ce40ede6	build client config in sync response	2026-06-05 23:53:48 +03:00
bcmmbaga	318014552f	Merge branch 'main' into refactor/mgmt-bootstrap	2026-06-05 22:02:25 +03:00
bcmmbaga	78ed62535e	Clean up middleware and move auth middlewa into module	2026-05-26 20:45:57 +03:00