Capture listener locally in accept loops to avoid nil deref on Stop

Handle Lstat error in purgeStaleAgentSubdir
Split prepareAgentSocketDir to reduce cognitive complexity
2026-06-09 17:39:57 +00:00 · 2026-05-25 17:02:28 +02:00 · 2026-05-25 15:52:30 +02:00 · 2026-05-25 15:09:28 +02:00 · 2026-05-25 14:10:01 +02:00 · 2026-05-25 13:26:29 +02:00
371 changed files with 24454 additions and 20080 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,45 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    open-pull-requests-limit: 15
-    groups:
-      actions:
-        patterns:
-          - "*"
-    ignore:
-      # git-town/action v1.3.x crashes on cyclic PR graphs (self-loop main->main
-      # fork PRs) via its topological-sort visualization. Pinned to v1.2.1 in
-      # git-town.yml; block v1.3.x until upstream tolerates cyclic edges.
-      - dependency-name: "git-town/action"
-        update-types:
-          - "version-update:semver-minor"
-          - "version-update:semver-major"
-
-  - package-ecosystem: "gomod"
-    directories:
-      - "/"
-    schedule:
-      interval: "daily"
-    open-pull-requests-limit: 15
-    groups:
-      aws-sdk:
-        patterns:
-          - "github.com/aws/aws-sdk-go-v2/*"
-      pion:
-        patterns:
-          - "github.com/pion/*"
-      gorm:
-        patterns:
-          - "gorm.io/*"
-      otel:
-        patterns:
-          - "go.opentelemetry.io/*"
-      testcontainers:
-        patterns:
-          - "github.com/testcontainers/testcontainers-go/*"
-      wireguard:
-        patterns:
-          - "golang.zx2c4.com/wireguard*"
--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -2,16 +2,16 @@ name: Check License Dependencies

 on:
  push:
-    branches: [main]
+    branches: [ main ]
    paths:
-      - "go.mod"
-      - "go.sum"
-      - ".github/workflows/check-license-dependencies.yml"
+      - 'go.mod'
+      - 'go.sum'
+      - '.github/workflows/check-license-dependencies.yml'
  pull_request:
    paths:
-      - "go.mod"
-      - "go.sum"
-      - ".github/workflows/check-license-dependencies.yml"
+      - 'go.mod'
+      - 'go.sum'
+      - '.github/workflows/check-license-dependencies.yml'

 jobs:
  check-internal-dependencies:
@@ -19,10 +19,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+      - uses: actions/checkout@v4

      - name: Check for problematic license dependencies
        run: |
@@ -59,57 +56,55 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+    - uses: actions/checkout@v4

-      - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
-        with:
-          go-version-file: "go.mod"
-          cache: true
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: 'go.mod'
+        cache: true

-      - name: Install go-licenses
-        run: go install github.com/google/go-licenses@v1.6.0
+    - name: Install go-licenses
+      run: go install github.com/google/go-licenses@v1.6.0

-      - name: Check for GPL/AGPL licensed dependencies
-        run: |
-          echo "Checking for GPL/AGPL/LGPL licensed dependencies..."
+    - name: Check for GPL/AGPL licensed dependencies
+      run: |
+        echo "Checking for GPL/AGPL/LGPL licensed dependencies..."
+        echo ""
+
+        # Check all Go packages for copyleft licenses, excluding internal netbird packages
+        COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)
+
+        if [ -n "$COPYLEFT_DEPS" ]; then
+          echo "Found copyleft licensed dependencies:"
+          echo "$COPYLEFT_DEPS"
          echo ""

-          # Check all Go packages for copyleft licenses, excluding internal netbird packages
-          COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)
+          # Filter out dependencies that are only pulled in by internal AGPL packages
+          INCOMPATIBLE=""
+          while IFS=',' read -r package url license; do
+            if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
+              # Find ALL packages that import this GPL package using go list
+              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")

-          if [ -n "$COPYLEFT_DEPS" ]; then
-            echo "Found copyleft licensed dependencies:"
-            echo "$COPYLEFT_DEPS"
-            echo ""
+              # Check if any importer is NOT in management/signal/relay
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)

-            # Filter out dependencies that are only pulled in by internal AGPL packages
-            INCOMPATIBLE=""
-            while IFS=',' read -r package url license; do
-              if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
-                # Find ALL packages that import this GPL package using go list
-                IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
-
-                # Check if any importer is NOT in management/signal/relay
-                BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
-
-                if [ -n "$BSD_IMPORTER" ]; then
-                  echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
-                  INCOMPATIBLE="${INCOMPATIBLE}${package},${url},${license}\n"
-                else
-                  echo "✓ $package ($license) is only used by internal AGPL packages - OK"
-                fi
+              if [ -n "$BSD_IMPORTER" ]; then
+                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
+                INCOMPATIBLE="${INCOMPATIBLE}${package},${url},${license}\n"
+              else
+                echo "✓ $package ($license) is only used by internal AGPL packages - OK"
              fi
-            done <<< "$COPYLEFT_DEPS"
-
-            if [ -n "$INCOMPATIBLE" ]; then
-              echo ""
-              echo "❌ INCOMPATIBLE licenses found that are used by BSD-licensed code:"
-              echo -e "$INCOMPATIBLE"
-              exit 1
            fi
-          fi
+          done <<< "$COPYLEFT_DEPS"

-          echo "✅ All external license dependencies are compatible with BSD-3-Clause"
+          if [ -n "$INCOMPATIBLE" ]; then
+            echo ""
+            echo "❌ INCOMPATIBLE licenses found that are used by BSD-licensed code:"
+            echo -e "$INCOMPATIBLE"
+            exit 1
+          fi
+        fi
+
+        echo "✅ All external license dependencies are compatible with BSD-3-Clause"
--- a/.github/workflows/docs-ack.yml
+++ b/.github/workflows/docs-ack.yml
@@ -83,7 +83,7 @@ jobs:

      - name: Verify docs PR exists (and is open or merged)
        if: steps.validate.outputs.mode == 'added'
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v7
        id: verify
        with:
          pr_number: ${{ steps.extract.outputs.pr_number }}
--- a/.github/workflows/forum.yml
+++ b/.github/workflows/forum.yml
@@ -8,10 +8,11 @@ jobs:
  post:
    runs-on: ubuntu-latest
    steps:
-      - uses: roots/discourse-topic-github-release-action@557d74ea05b6cc0c47f555c1d5d28a89d904005b # v1.1.0
+      - uses: roots/discourse-topic-github-release-action@main
        with:
          discourse-api-key: ${{ secrets.DISCOURSE_RELEASES_API_KEY }}
          discourse-base-url: https://forum.netbird.io
          discourse-author-username: NetBird
          discourse-category: 17
-          discourse-tags: releases
+          discourse-tags:
+            releases
--- a/.github/workflows/git-town.yml
+++ b/.github/workflows/git-town.yml
@@ -3,7 +3,7 @@ name: Git Town
 on:
  pull_request:
    branches:
-      - "**"
+      - '**'

 jobs:
  git-town:
@@ -15,9 +15,7 @@ jobs:
      pull-requests: write

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      - uses: git-town/action@3d8b878379abb1ee393fb49865a28b4a6c2cd3b0 # v1.2.1
+      - uses: actions/checkout@v4
+      - uses: git-town/action@v1.2.1
        with:
          skip-single-stacks: true
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -16,18 +16,16 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false

      - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
        with:
          path: ~/go/pkg/mod
          key: macos-gotest-${{ hashFiles('**/go.sum') }}
@@ -45,11 +43,5 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -coverprofile=coverage.txt -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)

-      - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          slug: netbirdio/netbird
-          flags: unit,client
--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -15,31 +15,20 @@ jobs:
    name: "Client / Unit"
    runs-on: ubuntu-22.04
    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Read Go version from go.mod
-        id: goversion
-        run: echo "version=$(awk '/^go / {print $2}' go.mod)" >> "$GITHUB_OUTPUT"
-
+      - uses: actions/checkout@v4
      - name: Test in FreeBSD
        id: test
-        env:
-          GO_VERSION: ${{ steps.goversion.outputs.version }}
-        uses: vmactions/freebsd-vm@d1e65811565151536c0c894fff74f06351ed26e6 # v1.4.5
+        uses: vmactions/freebsd-vm@v1
        with:
          usesh: true
          copyback: false
-          release: "15.0"
-          envs: "GO_VERSION"
+          release: "14.2"
          prepare: |
            pkg install -y curl pkgconf xorg
-            GO_TARBALL="go${GO_VERSION}.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.25.3.freebsd-amd64.tar.gz"
            GO_URL="https://go.dev/dl/$GO_TARBALL"
            curl -vLO "$GO_URL"
-            tar -C /usr/local -vxzf "$GO_TARBALL"
+            tar -C /usr/local -vxzf "$GO_TARBALL"            

          # -x - to print all executed commands
          # -e - to faile on first error
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -18,11 +18,9 @@ jobs:
      management: ${{ steps.filter.outputs.management }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

-      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+      - uses: dorny/paths-filter@v3
        id: filter
        with:
          filters: |
@@ -30,7 +28,7 @@ jobs:
              - 'management/**'

      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -38,10 +36,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     

      - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
        id: cache
        with:
          path: |
@@ -115,16 +113,14 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        arch: ["386", "amd64"]
+        arch: [ '386','amd64' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -132,10 +128,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     

      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
@@ -158,29 +154,18 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -coverprofile=coverage.txt -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
-
-      - name: Upload coverage reports to Codecov
-        if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          slug: netbirdio/netbird
-          flags: unit,client
-
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)

  test_client_on_docker:
    name: "Client (Docker) / Unit"
-    needs: [build-cache]
+    needs: [ build-cache ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -192,7 +177,7 @@ jobs:
          echo "modcache_dir=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT

      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        id: cache-restore
        with:
          path: |
@@ -246,12 +231,10 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -263,10 +246,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     

      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
@@ -285,33 +268,23 @@ jobs:
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          go test ${{ matrix.raceFlag }} \
-            -exec 'sudo' -coverprofile=coverage.txt \
+            -exec 'sudo' \
            -timeout 10m -p 1 ./relay/... ./shared/relay/...

-      - name: Upload coverage reports to Codecov
-        if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          slug: netbirdio/netbird
-          flags: unit,relay
-
  test_proxy:
    name: "Proxy / Unit"
    needs: [build-cache]
    strategy:
      fail-fast: false
      matrix:
-        arch: ["386", "amd64"]
+        arch: [ '386','amd64' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -325,7 +298,7 @@ jobs:
          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
@@ -343,15 +316,7 @@ jobs:
      - name: Test
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          go test -timeout 10m -p 1 -coverprofile=coverage.txt ./proxy/...
-
-      - name: Upload coverage reports to Codecov
-        if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          slug: netbirdio/netbird
-          flags: unit,proxy
+          go test -timeout 10m -p 1 ./proxy/...

  test_signal:
    name: "Signal / Unit"
@@ -359,16 +324,14 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        arch: ["386", "amd64"]
+        arch: [ '386','amd64' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -380,10 +343,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     

      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
@@ -402,34 +365,24 @@ jobs:
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          go test \
-            -exec 'sudo' -coverprofile=coverage.txt \
+            -exec 'sudo' \
            -timeout 10m ./signal/... ./shared/signal/...

-      - name: Upload coverage reports to Codecov
-        if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          slug: netbirdio/netbird
-          flags: unit,signal
-
  test_management:
    name: "Management / Unit"
-    needs: [build-cache]
+    needs: [ build-cache ]
    strategy:
      fail-fast: false
      matrix:
-        arch: ["amd64"]
-        store: ["sqlite", "postgres", "mysql"]
+        arch: [ 'amd64' ]
+        store: [ 'sqlite', 'postgres', 'mysql' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -437,10 +390,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     

      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
@@ -457,7 +410,7 @@ jobs:

      - name: Login to Docker hub
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
@@ -474,31 +427,23 @@ jobs:
        run: docker pull mlsmaycon/warmed-mysql:8

      - name: Test
-        run: |
+        run: |          
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
            CI=true \
-          go test -tags=devcert -coverprofile=coverage.txt \
+          go test -tags=devcert \
            -exec "sudo --preserve-env=CI,NETBIRD_STORE_ENGINE" \
            -timeout 20m ./management/... ./shared/management/...

-      - name: Upload coverage reports to Codecov
-        if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          slug: netbirdio/netbird
-          flags: unit,management
-
  benchmark:
    name: "Management / Benchmark"
-    needs: [build-cache]
+    needs: [ build-cache ]
    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
-        arch: ["amd64"]
-        store: ["sqlite", "postgres"]
+        arch: [ 'amd64' ]
+        store: [ 'sqlite', 'postgres' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Create Docker network
@@ -529,12 +474,10 @@ jobs:
            prom/prometheus

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -542,10 +485,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     

      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
@@ -562,7 +505,7 @@ jobs:

      - name: Login to Docker hub
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
@@ -586,13 +529,13 @@ jobs:

  api_benchmark:
    name: "Management / Benchmark (API)"
-    needs: [build-cache]
+    needs: [ build-cache ]
    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
-        arch: ["amd64"]
-        store: ["sqlite", "postgres"]
+        arch: [ 'amd64' ]
+        store: [ 'sqlite', 'postgres' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Create Docker network
@@ -623,12 +566,10 @@ jobs:
            prom/prometheus

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -636,10 +577,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     

      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
@@ -656,7 +597,7 @@ jobs:

      - name: Login to Docker hub
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
@@ -682,22 +623,20 @@ jobs:

  api_integration_test:
    name: "Management / Integration"
-    needs: [build-cache]
+    needs: [ build-cache ]
    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
-        arch: ["amd64"]
-        store: ["sqlite", "postgres"]
+        arch: [ 'amd64' ]
+        store: [ 'sqlite', 'postgres']
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -705,10 +644,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     

      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
@@ -728,14 +667,6 @@ jobs:
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
          CI=true \
-          go test -tags=integration -coverprofile=coverage.txt \
+          go test -tags=integration \
          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
          -timeout 20m ./management/server/http/...
-
-      - name: Upload coverage reports to Codecov
-        if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          slug: netbirdio/netbird
-          flags: integration,management
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -18,12 +18,10 @@ jobs:
    runs-on: windows-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        id: go
        with:
          go-version-file: "go.mod"
@@ -35,7 +33,7 @@ jobs:
          echo "modcache=$(go env GOMODCACHE)" >> $env:GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
        with:
          path: |
            ${{ env.cache }}
@@ -46,15 +44,16 @@ jobs:
            ${{ runner.os }}-go-

      - name: Download wintun
+        uses: carlosperate/download-file-action@v2
        id: download-wintun
-        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
-          destination: ${{ env.downloadPath }}\wintun.zip
-          sha256: 07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51
+          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
+          file-name: wintun.zip
+          location: ${{ env.downloadPath }}
+          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'

      - name: Decompressing wintun files
-        run: tar -xvf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
+        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}

      - run: mv ${{ env.downloadPath }}/wintun/bin/amd64/wintun.dll 'C:\Windows\System32\'

--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -15,11 +15,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
      - name: codespell
-        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2.2
+        uses: codespell-project/actions-codespell@v2
        with:
          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA,ede,additionals
          skip: go.mod,go.sum,**/proxy/web/**
@@ -40,15 +38,13 @@ jobs:
    timeout-minutes: 15
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
      - name: Check for duplicate constants
        if: matrix.os == 'ubuntu-latest'
        run: |
          ! awk '/const \(/,/)/{print $0}' management/server/activity/codes.go | grep -o '= [0-9]*' | sort | uniq -d | grep .
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -56,7 +52,7 @@ jobs:
        if: matrix.os == 'ubuntu-latest'
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee #v9.2.1
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
        with:
          version: latest
          skip-cache: true
--- a/.github/workflows/install-script-test.yml
+++ b/.github/workflows/install-script-test.yml
@@ -22,9 +22,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: run install script
        env:
--- a/.github/workflows/mobile-build-validation.yml
+++ b/.github/workflows/mobile-build-validation.yml
@@ -16,25 +16,23 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: Setup Android SDK
-        uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4.0.1
+        uses: android-actions/setup-android@v3
        with:
          cmdline-tools-version: 8512546
      - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
+        uses: actions/setup-java@v4
        with:
          java-version: "11"
          distribution: "adopt"
      - name: NDK Cache
        id: ndk-cache
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
        with:
          path: /usr/local/lib/android/sdk/ndk
          key: ndk-cache-23.1.7779620
@@ -54,11 +52,9 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: install gomobile
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -9,7 +9,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Validate PR title prefix
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v7
        with:
          script: |
            const title = context.payload.pull_request.title;
--- a/.github/workflows/proto-version-check.yml
+++ b/.github/workflows/proto-version-check.yml
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check for proto tool version changes
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v7
        with:
          script: |
            const files = await github.paginate(github.rest.pulls.listFiles, {
@@ -20,83 +20,34 @@ jobs:
              per_page: 100,
            });

-            // Cover renamed .pb.go files in addition to plain edits.
-            // Renamed entries land under the new path with previous_filename
-            // pointing at the base-side name, so we read the base content
-            // from the old path when present.
-            const changedPbFiles = files
-              .filter(f => (f.status === 'modified' || f.status === 'renamed')
-                && f.filename.endsWith('.pb.go'))
-              .map(f => ({
-                headPath: f.filename,
-                basePath: f.previous_filename || f.filename,
-              }));
-            if (changedPbFiles.length === 0) {
-              console.log('No modified or renamed .pb.go files to check');
+            const pbFiles = files.filter(f => f.filename.endsWith('.pb.go'));
+            const missingPatch = pbFiles.filter(f => !f.patch).map(f => f.filename);
+            if (missingPatch.length > 0) {
+              core.setFailed(
+                `Cannot inspect patch data for:\n` +
+                missingPatch.map(f => `- ${f}`).join('\n') +
+                `\nThis can happen with very large PRs. Verify proto versions manually.`
+              );
              return;
            }
-
-            // Matches the generator version headers protoc writes at the top
-            // of generated files:
-            //   //   protoc           v3.21.12
-            //   //   protoc-gen-go    v1.26.0
-            //   // - protoc-gen-go-grpc v1.6.1   (grpc files prefix with "- ")
-            // The optional "- " prefix and the optional -gen-go / -gen-go-grpc
-            // suffixes keep the *_grpc.pb.go headers in scope.
-            const versionPattern = /^\s*\/\/\s+(?:-\s+)?protoc(?:-gen-go(?:-grpc)?)?\s+v[\d.]+/;
-            const baseSha = context.payload.pull_request.base.sha;
-            const headSha = context.payload.pull_request.head.sha;
-
-            async function getVersionHeader(path, ref) {
-              try {
-                const res = await github.rest.repos.getContent({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  path,
-                  ref,
-                });
-                if (!res.data.content) {
-                  return { ok: false, reason: 'no inline content (file too large)' };
-                }
-                const content = Buffer.from(res.data.content, 'base64').toString('utf8');
-                const lines = content
-                  .split('\n')
-                  .slice(0, 20)
-                  .filter(line => versionPattern.test(line));
-                return { ok: true, lines };
-              } catch (e) {
-                return { ok: false, reason: e.message };
-              }
-            }
-
+            const versionPattern = /^[+-]\s*\/\/\s+protoc(?:-gen-go)?\s+v[\d.]+/;
            const violations = [];
-            for (const file of changedPbFiles) {
-              const [base, head] = await Promise.all([
-                getVersionHeader(file.basePath, baseSha),
-                getVersionHeader(file.headPath, headSha),
-              ]);
-              if (!base.ok || !head.ok) {
-                core.warning(
-                  `Skipping ${file.headPath}: base=${base.ok ? 'ok' : base.reason}, head=${head.ok ? 'ok' : head.reason}`
-                );
-                continue;
-              }
-              if (base.lines.join('\n') !== head.lines.join('\n')) {
+
+            for (const file of pbFiles) {
+              const changed = file.patch
+                .split('\n')
+                .filter(line => versionPattern.test(line));
+              if (changed.length > 0) {
                violations.push({
-                  file: file.basePath === file.headPath
-                    ? file.headPath
-                    : `${file.basePath} → ${file.headPath}`,
-                  base: base.lines,
-                  head: head.lines,
+                  file: file.filename,
+                  lines: changed,
                });
              }
            }

            if (violations.length > 0) {
              const details = violations.map(v =>
-                `${v.file}:\n` +
-                `  base:\n${v.base.map(l => '    ' + l).join('\n') || '    (none)'}\n` +
-                `  head:\n${v.head.map(l => '    ' + l).join('\n') || '    (none)'}`
+                `${v.file}:\n${v.lines.map(l => '  ' + l).join('\n')}`
              ).join('\n\n');

              core.setFailed(
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ on:
  pull_request:

 env:
-  SIGN_PIPE_VER: "v0.1.5"
+  SIGN_PIPE_VER: "v0.1.4"
  GORELEASER_VER: "v2.14.3"
  PRODUCT_NAME: "NetBird"
  COPYRIGHT: "NetBird GmbH"
@@ -24,15 +24,13 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Generate FreeBSD port diff
-        run: bash -x release_files/freebsd-port-diff.sh
+        run: bash release_files/freebsd-port-diff.sh

      - name: Generate FreeBSD port issue body
-        run: bash -x release_files/freebsd-port-issue-body.sh
+        run: bash release_files/freebsd-port-issue-body.sh

      - name: Check if diff was generated
        id: check_diff
@@ -53,26 +51,19 @@ jobs:
          echo "Generated files for version: $VERSION"
          cat netbird-*.diff

-      - name: Read Go version from go.mod
-        id: goversion
-        run: echo "version=$(awk '/^go / {print $2}' go.mod)" >> "$GITHUB_OUTPUT"
-
      - name: Test FreeBSD port
        if: steps.check_diff.outputs.diff_exists == 'true'
-        env:
-          GO_VERSION: ${{ steps.goversion.outputs.version }}
-        uses: vmactions/freebsd-vm@d1e65811565151536c0c894fff74f06351ed26e6 # v1.4.5
+        uses: vmactions/freebsd-vm@v1
        with:
          usesh: true
          copyback: false
          release: "15.0"
-          envs: "GO_VERSION"
          prepare: |
            # Install required packages
-            pkg install -y git curl portlint
+            pkg install -y git curl portlint go

            # Install Go for building
-            GO_TARBALL="go${GO_VERSION}.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.25.5.freebsd-amd64.tar.gz"
            GO_URL="https://go.dev/dl/$GO_TARBALL"
            curl -LO "$GO_URL"
            tar -C /usr/local -xzf "$GO_TARBALL"
@@ -102,19 +93,19 @@ jobs:

            # Show patched Makefile
            version=$(cat security/netbird/Makefile | grep -E '^DISTVERSION=' | awk '{print $NF}')
-
+            
            cd /usr/ports/security/netbird
            export BATCH=yes
            make package
            pkg add ./work/pkg/netbird-*.pkg
-
+            
            netbird version | grep "$version"

            echo "FreeBSD port test completed successfully!"

      - name: Upload FreeBSD port files
        if: steps.check_diff.outputs.diff_exists == 'true'
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: freebsd-port-files
          path: |
@@ -133,25 +124,26 @@ jobs:
    env:
      flags: ""
    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0 # It is required for GoReleaser to work properly
-          persist-credentials: false
-
      - name: Parse semver string
        id: semver_parser
-        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
+        uses: booxmedialtd/ws-action-parse-semver@v1
+        with:
+          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
+          version_extractor_regex: '\/v(.*)$'

      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # It is required for GoReleaser to work properly
      - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
        with:
          path: |
            ~/go/pkg/mod
@@ -164,18 +156,18 @@ jobs:
      - name: check git status
        run: git --no-pager diff --exit-code
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
+        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
+        uses: docker/setup-buildx-action@v2
      - name: Login to Docker hub
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Log in to the GitHub container registry
        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -199,7 +191,7 @@ jobs:
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
      - name: Run GoReleaser
        id: goreleaser
-        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
+        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --clean ${{ env.flags }}
@@ -290,28 +282,28 @@ jobs:
          } >> "$GITHUB_OUTPUT"
      - name: upload non tags for debug purposes
        id: upload_release
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: release
          path: dist/
          retention-days: 7
      - name: upload linux packages
        id: upload_linux_packages
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: linux-packages
          path: dist/netbird_linux**
          retention-days: 7
      - name: upload windows packages
        id: upload_windows_packages
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: windows-packages
          path: dist/netbird_windows**
          retention-days: 7
      - name: upload macos packages
        id: upload_macos_packages
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: macos-packages
          path: dist/netbird_darwin**
@@ -322,26 +314,27 @@ jobs:
    outputs:
      release_ui_artifact_url: ${{ steps.upload_release_ui.outputs.artifact-url }}
    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0 # It is required for GoReleaser to work properly
-          persist-credentials: false
-
      - name: Parse semver string
        id: semver_parser
-        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
+        uses: booxmedialtd/ws-action-parse-semver@v1
+        with:
+          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
+          version_extractor_regex: '\/v(.*)$'

      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # It is required for GoReleaser to work properly

      - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
        with:
          path: |
            ~/go/pkg/mod
@@ -382,7 +375,7 @@ jobs:
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_arm64.syso

      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
+        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --config .goreleaser_ui.yaml --clean ${{ env.flags }}
@@ -411,7 +404,7 @@ jobs:
        run: rm -f /tmp/gpg-rpm-signing-key.asc
      - name: upload non tags for debug purposes
        id: upload_release_ui
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: release-ui
          path: dist/
@@ -425,17 +418,16 @@ jobs:
      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
-          persist-credentials: false
      - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
        with:
          path: |
            ~/go/pkg/mod
@@ -449,7 +441,7 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Run GoReleaser
        id: goreleaser
-        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
+        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --config .goreleaser_ui_darwin.yaml --clean ${{ env.flags }}
@@ -457,7 +449,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: upload non tags for debug purposes
        id: upload_release_ui_darwin
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: release-ui-darwin
          path: dist/
@@ -482,26 +474,27 @@ jobs:
      PackageWorkdir: netbird_windows_${{ matrix.arch }}
      downloadPath: '${{ github.workspace }}\temp'
    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
      - name: Parse semver string
        id: semver_parser
-        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
+        uses: booxmedialtd/ws-action-parse-semver@v1
+        with:
+          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
+          version_extractor_regex: '\/v(.*)$'
+
+      - name: Checkout
+        uses: actions/checkout@v4

      - name: Add 7-Zip to PATH
        run: echo "C:\Program Files\7-Zip" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append

      - name: Download release artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.1
+        uses: actions/download-artifact@v4
        with:
          name: release
          path: release

      - name: Download UI release artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.1
+        uses: actions/download-artifact@v4
        with:
          name: release-ui
          path: release-ui
@@ -521,27 +514,29 @@ jobs:
          Get-ChildItem $workdir

      - name: Download wintun
+        uses: carlosperate/download-file-action@v2
        id: download-wintun
-        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
-          destination: ${{ env.downloadPath }}\wintun.zip
-          sha256: 07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51
+          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
+          file-name: wintun.zip
+          location: ${{ env.downloadPath }}
+          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'

      - name: Decompress wintun files
-        run: tar -xvf "${{ env.downloadPath }}\wintun.zip" -C ${{ env.downloadPath }}
+        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}

      - name: Move wintun.dll into dist
        run: mv ${{ env.downloadPath }}\wintun\bin\${{ matrix.wintun_arch }}\wintun.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\

      - name: Download Mesa3D (amd64 only)
+        uses: carlosperate/download-file-action@v2
        id: download-mesa3d
        if: matrix.arch == 'amd64'
-        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          url: https://pkgs.netbird.io/mesa3d/MesaForWindows-x64-20.1.8.7z
-          destination: ${{ env.downloadPath }}\mesa3d.7z
-          sha256: 71c7cb64ec229a1d6b8d62fa08e1889ed2bd17c0eeede8689daf0f25cb31d6b9
+          file-url: https://downloads.fdossena.com/Projects/Mesa3D/Builds/MesaForWindows-x64-20.1.8.7z
+          file-name: mesa3d.7z
+          location: ${{ env.downloadPath }}
+          sha256: '71c7cb64ec229a1d6b8d62fa08e1889ed2bd17c0eeede8689daf0f25cb31d6b9'

      - name: Extract Mesa3D driver (amd64 only)
        if: matrix.arch == 'amd64'
@@ -552,38 +547,35 @@ jobs:
        run: mv ${{ env.downloadPath }}\opengl32.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\

      - name: Download EnVar plugin for NSIS
-        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
+        uses: carlosperate/download-file-action@v2
        with:
-          url: https://pkgs.netbird.io/nsis/EnVar_plugin.zip
-          destination: ${{ github.workspace }}\envar_plugin.zip
-          sha256: e9aa92de351345ed82795251d838f1ae9041ba35af9d381a5780c7843b01f56a
+          file-url: https://nsis.sourceforge.io/mediawiki/images/7/7f/EnVar_plugin.zip
+          file-name: envar_plugin.zip
+          location: ${{ github.workspace }}

      - name: Extract EnVar plugin
        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/envar_plugin.zip"

      - name: Download ShellExecAsUser plugin for NSIS (amd64 only)
+        uses: carlosperate/download-file-action@v2
        if: matrix.arch == 'amd64'
-        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          url: https://pkgs.netbird.io/nsis/ShellExecAsUser_amd64-Unicode.7z
-          destination: ${{ github.workspace }}\ShellExecAsUser_amd64-Unicode.7z
-          sha256: 0a55ea25c7330a92cec028eda8afcaf1b1a7092e0dfb77c21c8f654564b4ff9d
+          file-url: https://nsis.sourceforge.io/mediawiki/images/6/68/ShellExecAsUser_amd64-Unicode.7z
+          file-name: ShellExecAsUser_amd64-Unicode.7z
+          location: ${{ github.workspace }}

      - name: Extract ShellExecAsUser plugin (amd64 only)
        if: matrix.arch == 'amd64'
        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/ShellExecAsUser_amd64-Unicode.7z"

      - name: Build NSIS installer
-        shell: pwsh
+        uses: joncloud/makensis-action@v3.3
+        with:
+          additional-plugin-paths: ${{ github.workspace }}/NSIS_Plugins/Plugins
+          script-file: client/installer.nsis
+          arguments: "/V4 /DARCH=${{ matrix.arch }}"
        env:
          APPVER: ${{ steps.semver_parser.outputs.major }}.${{ steps.semver_parser.outputs.minor }}.${{ steps.semver_parser.outputs.patch }}.${{ github.run_id }}
-        run: |
-          $nsisPluginDir = "C:\Program Files (x86)\NSIS\Plugins\x86-unicode"
-          $srcPlugins    = "${{ github.workspace }}\NSIS_Plugins\Plugins"
-          Get-ChildItem -Path $srcPlugins -Recurse -Filter *.dll |
-            Copy-Item -Destination $nsisPluginDir -Force
-          & "C:\Program Files (x86)\NSIS\makensis.exe" /V4 "/DARCH=${{ matrix.arch }}" client\installer.nsis
-          if ($LASTEXITCODE -ne 0) { throw "makensis failed with exit code $LASTEXITCODE" }

      - name: Rename NSIS installer
        run: mv netbird-installer.exe netbird_installer_test_windows_${{ matrix.arch }}.exe
@@ -600,7 +592,7 @@ jobs:

      - name: Upload installer artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: windows-installer-test-${{ matrix.arch }}
          path: |
@@ -619,7 +611,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Create or update PR comment
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v7
        env:
          RELEASE_RESULT: ${{ needs.release.result }}
          RELEASE_UI_RESULT: ${{ needs.release_ui.result }}
@@ -711,7 +703,7 @@ jobs:
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Trigger binaries sign pipelines
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@v1
        with:
          workflow: Sign bin and installer
          repo: netbirdio/sign-pipelines
--- a/.github/workflows/sync-main.yml
+++ b/.github/workflows/sync-main.yml
@@ -14,9 +14,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger main branch sync
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@v1
        with:
          workflow: sync-main.yml
          repo: ${{ secrets.UPSTREAM_REPO }}
          token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "sha": "${{ github.sha }}" }'
+          inputs: '{ "sha": "${{ github.sha }}" }'
--- a/.github/workflows/sync-tag.yml
+++ b/.github/workflows/sync-tag.yml
@@ -3,7 +3,7 @@ name: sync tag
 on:
  push:
    tags:
-      - "v*"
+      - 'v*'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger release tag sync
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@v1
        with:
          workflow: sync-tag.yml
          ref: main
@@ -29,7 +29,7 @@ jobs:
    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
    steps:
      - name: Trigger android-client submodule bump
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
        with:
          workflow: bump-netbird.yml
          ref: main
@@ -42,10 +42,10 @@ jobs:
    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
    steps:
      - name: Trigger ios-client submodule bump
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
        with:
          workflow: bump-netbird.yml
          ref: main
          repo: netbirdio/ios-client
          token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref_name }}" }'
+          inputs: '{ "tag": "${{ github.ref_name }}" }'
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -6,10 +6,10 @@ on:
      - main
  pull_request:
    paths:
-      - "infrastructure_files/**"
-      - ".github/workflows/test-infrastructure-files.yml"
-      - "management/cmd/**"
-      - "signal/cmd/**"
+      - 'infrastructure_files/**'
+      - '.github/workflows/test-infrastructure-files.yml'
+      - 'management/cmd/**'
+      - 'signal/cmd/**'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -20,7 +20,7 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        store: ["sqlite", "postgres", "mysql"]
+        store: [ 'sqlite', 'postgres', 'mysql' ]
    services:
      postgres:
        image: ${{ (matrix.store == 'postgres') && 'postgres' || '' }}
@@ -68,17 +68,15 @@ jobs:
        run: sudo apt-get install -y curl

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"

      - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -141,8 +139,8 @@ jobs:
          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
          CI_NETBIRD_SIGNAL_PORT: 12345
          CI_NETBIRD_STORE_CONFIG_ENGINE: ${{ matrix.store }}
-          NETBIRD_STORE_ENGINE_POSTGRES_DSN: "${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}$"
-          NETBIRD_STORE_ENGINE_MYSQL_DSN: "${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$"
+          NETBIRD_STORE_ENGINE_POSTGRES_DSN: '${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}$'
+          NETBIRD_STORE_ENGINE_MYSQL_DSN: '${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$'
          CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
          CI_NETBIRD_TURN_EXTERNAL_IP: "1.2.3.4"
          CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY: false
@@ -256,9 +254,7 @@ jobs:
        run: sudo apt-get install -y jq

      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4

      - name: run script with Zitadel PostgreSQL
        run: NETBIRD_DOMAIN=use-ip bash -x infrastructure_files/getting-started-with-zitadel.sh
--- a/.github/workflows/update-docs.yml
+++ b/.github/workflows/update-docs.yml
@@ -3,9 +3,9 @@ name: update docs
 on:
  push:
    tags:
-      - "v*"
+      - 'v*'
    paths:
-      - "shared/management/http/api/openapi.yml"
+      - 'shared/management/http/api/openapi.yml'

 jobs:
  trigger_docs_api_update:
@@ -13,10 +13,10 @@ jobs:
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Trigger API pages generation
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@v1
        with:
          workflow: generate api pages
          repo: netbirdio/docs
          ref: "refs/heads/main"
          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref }}" }'
+          inputs: '{ "tag": "${{ github.ref }}" }'
--- a/.github/workflows/wasm-build-validation.yml
+++ b/.github/workflows/wasm-build-validation.yml
@@ -19,17 +19,15 @@ jobs:
      GOARCH: wasm
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: Install golangci-lint
-        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee #v9.2.1
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
        with:
          version: latest
          install-mode: binary
@@ -44,11 +42,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v4
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: Build Wasm client
@@ -69,3 +65,4 @@ jobs:
            echo "Wasm binary size (${SIZE_MB}MB) exceeds 60MB limit!"
            exit 1
          fi
+
--- a/README.md
+++ b/README.md
@@ -1,134 +1,147 @@

 <div align="center">
-  <p align="center">
-    <img width="234" src="docs/media/logo-full.png" alt="NetBird logo"/>
-  </p>
-  <p align="center">
-    <a href="https://sonarcloud.io/dashboard?id=netbirdio_netbird">
-      <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" alt="SonarCloud alert status"/>
-    </a>
-    <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
-      <img src="https://img.shields.io/badge/license-BSD--3-blue" alt="BSD-3 License"/>
-    </a>
+<br/>
+  <br/>
+<p align="center">
+  <img width="234" src="docs/media/logo-full.png"/>
+</p>
+  <p>
+   <a href="https://img.shields.io/badge/license-BSD--3-blue)">
+       <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" />
+     </a> 
+     <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
+       <img src="https://img.shields.io/badge/license-BSD--3-blue" />
+     </a> 
+    <br>
    <a href="https://docs.netbird.io/slack-url">
-      <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack" alt="NetBird Slack"/>
-    </a>
+        <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
+     </a>
    <a href="https://forum.netbird.io">
-      <img src="https://img.shields.io/badge/community%20forum-@netbird-red.svg?logo=discourse" alt="Community forum"/>
-    </a>
+        <img src="https://img.shields.io/badge/community forum-@netbird-red.svg?logo=discourse"/>
+     </a>  
+     <br>
    <a href="https://gurubase.io/g/netbird">
-      <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF" alt="Gurubase: Ask NetBird Guru"/>
-    </a>
+        <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF"/>
+     </a>    
  </p>
 </div>

+
 <p align="center">
-  <strong>
-    Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
-    <br/>
-    See <a href="https://netbird.io/docs/">Documentation</a>
-    <br/>
-    Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
-  </strong>
+<strong>
+  Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
  <br/>
+  See <a href="https://netbird.io/docs/">Documentation</a>
  <br/>
-  <strong>
-    🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
-  </strong>
+   Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
+  <br/>
+ 
+</strong>
+<br>
+<strong>
+  🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
+</strong>
+<br>
+<br>
+<a href="https://registry.terraform.io/providers/netbirdio/netbird/latest">
+    New: NetBird terraform provider
+  </a> 
 </p>

+<br>
+
 **NetBird combines a configuration-free peer-to-peer private network and a centralized access control system in a single platform, making it easy to create secure private networks for your organization or home.**

 **Connect.** NetBird creates a WireGuard-based overlay network that automatically connects your machines over an encrypted tunnel, leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.

 **Secure.** NetBird enables secure remote access by applying granular access policies while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.

+### Open Source Network Security in a Single Platform
+
 https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2

-### Self-host NetBird (video)
-
+### Self-Host NetBird (Video)
 [![Watch the video](https://img.youtube.com/vi/bZAgpT6nzaQ/0.jpg)](https://youtu.be/bZAgpT6nzaQ)

 ### Key features

-| Connectivity | Management | Security | Automation | Platforms |
-|---|---|---|---|---|
-| ✓ [Kernel WireGuard](https://docs.netbird.io/about-netbird/why-wireguard-with-netbird) | ✓ [Admin Web UI](https://github.com/netbirdio/dashboard) | ✓ [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) | ✓ [Public API](https://docs.netbird.io/api) | ✓ [Linux](https://docs.netbird.io/get-started/install/linux) |
-| ✓ [Peer-to-peer connections](https://docs.netbird.io/about-netbird/how-netbird-works) | ✓ Auto peer discovery and configuration | ✓ [Access control: groups & rules](https://docs.netbird.io/how-to/manage-network-access) | ✓ [Setup keys for bulk provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) | ✓ [macOS](https://docs.netbird.io/get-started/install/macos) |
-| ✓ Connection relay fallback | ✓ [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) | ✓ [Activity logging](https://docs.netbird.io/how-to/audit-events-logging) | ✓ [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) | ✓ [Windows](https://docs.netbird.io/get-started/install/windows) |
-| ✓ [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) | ✓ [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) | ✓ [Traffic events](https://docs.netbird.io/manage/activity/traffic-events-logging) | ✓ [IdP groups sync with JWT](https://docs.netbird.io/manage/team/idp-sync) | ✓ [Android](https://docs.netbird.io/get-started/install/android) |
-| ✓ [Domain-based DNS routes](https://docs.netbird.io/manage/dns/dns-aliases-for-routed-networks) | ✓ [Custom DNS zones](https://docs.netbird.io/manage/dns/custom-zones) | ✓ [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks) | ✓ [Terraform provider](https://registry.terraform.io/providers/netbirdio/netbird/latest) | ✓ [Android TV](https://docs.netbird.io/get-started/install/android-tv) |
-| ✓ [Exit nodes](https://docs.netbird.io/manage/network-routes/use-cases/exit-nodes) | ✓ [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) | ✓ Peer-to-peer encryption | ✓ [Ansible collection](https://github.com/netbirdio/ansible-netbird) | ✓ [iOS](https://docs.netbird.io/get-started/install/ios) |
-| ✓ [IPv6 dual-stack overlay](https://docs.netbird.io/manage/settings/ipv6) | ✓ [Multi-account profile switching](https://docs.netbird.io/client/profiles) | ✓ [SSH with central access policies](https://docs.netbird.io/manage/peers/ssh) | | ✓ [Apple TV](https://docs.netbird.io/get-started/install/tvos) |
-| ✓ [Browser SSH & RDP](https://docs.netbird.io/manage/peers/browser-client) | | ✓ [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn) | | ✓ FreeBSD |
-| ✓ [Reverse proxy with auto-TLS](https://docs.netbird.io/manage/reverse-proxy) | | ✓ [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication) | | ✓ [pfSense](https://docs.netbird.io/get-started/install/pfsense) |
-| | | | | ✓ [OPNsense](https://docs.netbird.io/get-started/install/opnsense) |
-| | | | | ✓ [MikroTik RouterOS](https://docs.netbird.io/use-cases/homelab/client-on-mikrotik-router) |
-| | | | | ✓ OpenWRT |
-| | | | | ✓ [Synology](https://docs.netbird.io/get-started/install/synology) |
-| | | | | ✓ [TrueNAS](https://docs.netbird.io/get-started/install/truenas) |
-| | | | | ✓ [Proxmox](https://docs.netbird.io/get-started/install/proxmox-ve) |
-| | | | | ✓ [Raspberry Pi](https://docs.netbird.io/get-started/install/raspberrypi) |
-| | | | | ✓ [Serverless](https://docs.netbird.io/how-to/netbird-on-faas) |
-| | | | | ✓ [Container](https://docs.netbird.io/get-started/install/docker) |
+| Connectivity | Management | Security | Automation| Platforms |
+|----|----|----|----|----|
+| <ul><li>- \[x] Kernel WireGuard</ul></li> | <ul><li>- \[x] [Admin Web UI](https://github.com/netbirdio/dashboard)</ul></li> | <ul><li>- \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login)</ul></li> | <ul><li>- \[x] [Public API](https://docs.netbird.io/api)</ul></li> | <ul><li>- \[x] Linux</ul></li> |
+| <ul><li>- \[x] Peer-to-peer connections</ul></li> | <ul><li>- \[x] Auto peer discovery and configuration</ui></li> | <ul><li>- \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access)</ui></li> | <ul><li>- \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys)</ui></li> | <ul><li>- \[x] Mac</ui></li> |
+| <ul><li>- \[x] Connection relay fallback</ui></li> | <ul><li>- \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers)</ui></li> | <ul><li>- \[x] [Activity logging](https://docs.netbird.io/how-to/audit-events-logging)</ui></li> | <ul><li>- \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart)</ui></li> | <ul><li>- \[x] Windows</ui></li> |
+| <ul><li>- \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks)</ui></li> | <ul><li>- \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network)</ui></li> | <ul><li>- \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks)</ui></li> | <ul><li>- \[x] IdP groups sync with JWT</ui></li> | <ul><li>- \[x] Android</ui></li> |
+| <ul><li>- \[x] NAT traversal with BPF</ui></li> | <ul><li>- \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network)</ui></li> | <ul><li>- \[x] Peer-to-peer encryption</ui></li> || <ul><li>- \[x] iOS</ui></li> |
+||| <ul><li>- \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn)</ui></li> || <ul><li>- \[x] OpenWRT</ui></li> |
+||| <ul><li>- \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ui></li> || <ul><li>- \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas)</ui></li> |
+||||| <ul><li>- \[x] Docker</ui></li> |

 ### Quickstart with NetBird Cloud

- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install).
- Follow the steps to sign up with Google, Microsoft, GitHub or your email address.
- Check the NetBird [admin UI](https://app.netbird.io/).
+- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install)
+- Follow the steps to sign-up with Google, Microsoft, GitHub or your email address.
+- Check NetBird [admin UI](https://app.netbird.io/).
+- Add more machines.

 ### Quickstart with self-hosted NetBird

-This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM. Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IdPs.
+> This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM.
+Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IDPs.

 **Infrastructure requirements:**
- A Linux VM with at least **1 CPU** and **2 GB** of memory.
- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port **3478**.
- A **public domain** name pointing to the VM.
+- A Linux VM with at least **1CPU** and **2GB** of memory.
+- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port: **3478**.
+- **Public domain** name pointing to the VM.

 **Software requirements:**
- Docker with the Compose plugin (Compose v2 or higher). See the [Docker installation guide](https://docs.docker.com/engine/install/).
+- Docker installed on the VM with the docker-compose plugin ([Docker installation guide](https://docs.docker.com/engine/install/)) or docker with docker-compose in version 2 or higher.
+- [jq](https://jqlang.github.io/jq/) installed. In most distributions
+  Usually available in the official repositories and can be installed with `sudo apt install jq` or `sudo yum install jq`
+- [curl](https://curl.se/) installed.
+  Usually available in the official repositories and can be installed with `sudo apt install curl` or `sudo yum install curl`

 **Steps**
 - Download and run the installation script:
 ```bash
 export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash
 ```
+- Once finished, you can manage the resources via `docker-compose`

 ### A bit on NetBird internals
- Every machine in the network runs the [NetBird agent](client/), which manages WireGuard.
- Every agent connects to the [Management Service](management/), which holds network state, manages peer IPs, and distributes updates to agents.
- Agents use ICE (via [pion/ice](https://github.com/pion/ice)) to discover connection candidates for peer-to-peer connections.
- Candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
- Agents negotiate a connection through the [Signal Service](signal/), exchanging end-to-end encrypted messages with candidates.
- When NAT traversal fails (e.g. mobile carrier-grade NAT) and a direct p2p connection isn't possible, the system falls back to a [Relay Service](relay/) and a secure WireGuard tunnel is established through it.
+-  Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
+-  Every agent connects to [Management Service](management/) that holds network state, manages peer IPs, and distributes network updates to agents (peers).
+-  NetBird agent uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between machines.
+-  Connection candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
+-  Agents negotiate a connection through [Signal Service](signal/) passing p2p encrypted messages with candidates.
+-  Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and a p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server. 
+ 
+[Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.

 <p float="left" align="middle">
-  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700" alt="NetBird high-level architecture diagram"/>
+  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700"/>
 </p>

 See a complete [architecture overview](https://docs.netbird.io/about-netbird/how-netbird-works#architecture) for details.

 ### Community projects
- [NetBird installer script](https://github.com/physk/netbird-installer)
- [netbird-tui](https://github.com/n0pashkov/netbird-tui) - terminal UI for managing NetBird peers, routes, and settings
- [caddy-netbird](https://github.com/lixmal/caddy-netbird) - Caddy plugin that embeds a NetBird client for proxying HTTP and TCP/UDP traffic through NetBird networks
+-  [NetBird installer script](https://github.com/physk/netbird-installer)
+-  [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)
+-  [netbird-tui](https://github.com/n0pashkov/netbird-tui) — terminal UI for managing NetBird peers, routes, and settings

 **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).

 ### Support acknowledgement

-In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by the Federal Ministry of Education and Research of the Federal Republic of Germany. Together with the [CISPA Helmholtz Center for Information Security](https://cispa.de/en), NetBird brings security best practices and simplicity to private networking.
+In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by The Federal Ministry of Education and Research of The Federal Republic of Germany. Together with [CISPA Helmholtz Center for Information Security](https://cispa.de/en) NetBird brings the security best practices and simplicity to private networking.

 ![CISPA_Logo_BLACK_EN_RZ_RGB (1)](https://user-images.githubusercontent.com/700848/203091324-c6d311a0-22b5-4b05-a288-91cbc6cdcc46.png)

-### Acknowledgements
-We build on open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE](https://github.com/pion/ice), and [Rosenpass](https://rosenpass.eu). We greatly appreciate the work these projects are doing, and we'd love it if you could support them too (e.g., by starring or contributing).
+### Testimonials
+We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn), and [Rosenpass](https://rosenpass.eu). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g., by giving a star or a contribution).

 ### Legal
-This repository is licensed under the BSD-3-Clause license, which applies to all parts of the repository except for the directories management/, signal/ and relay/.
+This repository is licensed under BSD-3-Clause license that applies to all parts of the repository except for the directories management/, signal/ and relay/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.

 _WireGuard_ and the _WireGuard_ logo are [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -3,14 +3,12 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"os/user"
 	"strings"
 	"time"

 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
-	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/types/known/durationpb"

 	"github.com/netbirdio/netbird/client/internal"
@@ -21,7 +19,6 @@ import (
 	"github.com/netbirdio/netbird/client/server"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/upload-server/types"
-	"github.com/netbirdio/netbird/version"
 )

 const errCloseConnection = "Failed to close connection: %v"
@@ -87,80 +84,6 @@ var persistenceCmd = &cobra.Command{
 	RunE:    setSyncResponsePersistence,
 }

-var debugConfigCmd = &cobra.Command{
-	Use:     "config",
-	Example: "  netbird debug config",
-	Short:   "Dump the effective configuration",
-	Long:    "Prints the daemon's resolved configuration (after applying defaults, file, env, CLI input, and MDM policy overrides) as JSON. Includes the list of MDM-managed fields.",
-	RunE:    debugConfigDump,
-}
-
-// debugConfigDump implements `netbird debug config`. It resolves the
-// active profile, queries the daemon for the effective configuration
-// via GetConfig, and prints the resulting GetConfigResponse as JSON
-// (via protojson with EmitUnpopulated=true so the output is stable
-// across runs and includes zero-valued fields).
-//
-// Useful for verifying MDM enforcement end-to-end: the response's
-// mDMManagedFields array is the single source of truth for "which
-// fields is the daemon currently enforcing from the MDM source", and
-// every config field side-by-side with that list confirms the
-// merge result. Secrets in the response (e.g. PreSharedKey) are
-// debugConfigDump requests the daemon for the resolved effective configuration and prints it as indented JSON.
-// It resolves the active profile and current OS user, calls DaemonService.GetConfig with those values, and
-// marshals the response using protojson with default/zero-valued fields included.
-// debugConfigDump prints the daemon's effective configuration for the active profile and current OS user as indented JSON.
-// It requests the configuration from the daemon and writes the protobuf response with default fields emitted to stdout.
-// Returns an error if active profile or user lookup fails, the daemon RPC fails, or the response cannot be marshaled.
-func debugConfigDump(cmd *cobra.Command, _ []string) error {
-	pm := profilemanager.NewProfileManager()
-	activeProf, err := pm.GetActiveProfile()
-	if err != nil {
-		return fmt.Errorf("get active profile: %v", err)
-	}
-	currUser, err := user.Current()
-	if err != nil {
-		return fmt.Errorf("get current user: %v", err)
-	}
-
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf(errCloseConnection, err)
-		}
-	}()
-
-	client := proto.NewDaemonServiceClient(conn)
-	resp, err := client.GetConfig(cmd.Context(), &proto.GetConfigRequest{
-		ProfileName: activeProf.Name,
-		Username:    currUser.Username,
-	})
-	if err != nil {
-		return fmt.Errorf("failed to get config: %v", status.Convert(err).Message())
-	}
-
-	// Use protojson so well-known fields render correctly; emit defaults so
-	// the operator sees every field even when zero/empty.
-	m := protojson.MarshalOptions{Multiline: true, Indent: "  ", EmitUnpopulated: true}
-	out, err := m.Marshal(resp)
-	if err != nil {
-		return fmt.Errorf("marshal config: %w", err)
-	}
-	cmd.Println(string(out))
-	return nil
-}
-
-// debugBundle requests the daemon to create a debug bundle and prints the resulting
-// local file path and, if uploaded, the uploaded file key.
-// It uses the package flags (anonymize, system info, log file count, CLI version and
-// optional upload URL) to configure the bundle request. Returns an error if the RPC
-// debugBundle requests creation of a debug bundle from the daemon and prints
-// the local bundle file path and, if uploading was enabled, the uploaded file key.
-// It returns an error if the RPC fails, if the daemon reports an upload failure
-// reason, or if establishing the connection fails.
 func debugBundle(cmd *cobra.Command, _ []string) error {
 	conn, err := getClient(cmd)
 	if err != nil {
@@ -177,7 +100,6 @@ func debugBundle(cmd *cobra.Command, _ []string) error {
 		Anonymize:    anonymizeFlag,
 		SystemInfo:   systemInfoFlag,
 		LogFileCount: logFileCount,
-		CliVersion:   version.NetbirdVersion(),
 	}
 	if uploadBundleFlag {
 		request.UploadURL = uploadBundleURLFlag
@@ -376,7 +298,6 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		Anonymize:    anonymizeFlag,
 		SystemInfo:   systemInfoFlag,
 		LogFileCount: logFileCount,
-		CliVersion:   version.NetbirdVersion(),
 	}
 	if uploadBundleFlag {
 		request.UploadURL = uploadBundleURLFlag
@@ -511,7 +432,6 @@ func generateDebugBundle(config *profilemanager.Config, recorder *peer.Status, c
 			SyncResponse:   syncResponse,
 			LogPath:        logFilePath,
 			CPUProfile:     nil,
-			DaemonVersion:  version.NetbirdVersion(), // acting as daemon
 		},
 		debug.BundleConfig{
 			IncludeSystemInfo: true,
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -95,9 +95,7 @@ var (
 	}
 )

-// Execute runs the appropriate Cobra command for the CLI.
-// If the process is the update binary it delegates to updateCmd; otherwise it runs the root command.
-// It returns any error produced during command execution.
+// Execute executes the root command.
 func Execute() error {
 	if isUpdateBinary() {
 		return updateCmd.Execute()
@@ -105,20 +103,6 @@ func Execute() error {
 	return rootCmd.Execute()
 }

-// init initializes package-level defaults and the CLI command tree.
-// init sets platform-specific default config and log directory paths and a default daemon address,
-// registers persistent flags (daemon address, management/admin URLs, logging, setup key, preshared key,
-// hostname, anonymize, config path), attaches top-level and nested subcommands to the root command,
-// and configures `up` command specific flags (external IP maps, DNS resolver address, Rosenpass options,
-// init initializes package-level defaults and configures the root Cobra command.
-// 
-// It sets default configuration and log directory paths (including legacy Wiretrustee
-// locations) based on the runtime OS, builds default config/log file paths, and selects
-// a platform-appropriate default daemon address. It registers persistent CLI flags
-// (including mutually exclusive setup-key and setup-key-file), attaches top-level
-// commands and subcommands to the root command, and registers `up`-specific persistent
-// flags for external IP mapping, custom DNS resolver address, Rosenpass options,
-// auto-connect disabling, and lazy connection.
 func init() {
 	defaultConfigPathDir = "/etc/netbird/"
 	defaultLogFileDir = "/var/log/netbird/"
@@ -184,7 +168,6 @@ func init() {
 	logCmd.AddCommand(logLevelCmd)
 	debugCmd.AddCommand(forCmd)
 	debugCmd.AddCommand(persistenceCmd)
-	debugCmd.AddCommand(debugConfigCmd)

 	// profile commands
 	profileCmd.AddCommand(profileListCmd)
--- a/client/cmd/service_controller.go
+++ b/client/cmd/service_controller.go
@@ -102,7 +102,7 @@ func (p *program) Stop(srv service.Service) error {
 }

 // Common setup for service control commands
-func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel context.CancelFunc, consoleLog bool) (service.Service, error) {
+func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel context.CancelFunc) (service.Service, error) {
 	// rootCmd env vars are already applied by PersistentPreRunE.
 	SetFlagsFromEnvVars(serviceCmd)

@@ -112,14 +112,8 @@ func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel
 		return nil, err
 	}

-	if consoleLog {
-		if err := util.InitLog(logLevel, util.LogConsole); err != nil {
-			return nil, fmt.Errorf("init log: %w", err)
-		}
-	} else {
-		if err := util.InitLog(logLevel, logFiles...); err != nil {
-			return nil, fmt.Errorf("init log: %w", err)
-		}
+	if err := util.InitLog(logLevel, logFiles...); err != nil {
+		return nil, fmt.Errorf("init log: %w", err)
 	}

 	cfg, err := newSVCConfig()
@@ -144,7 +138,7 @@ var runCmd = &cobra.Command{
 		SetupCloseHandler(ctx, cancel)
 		SetupDebugHandler(ctx, nil, nil, nil, util.FindFirstLogPath(logFiles))

-		s, err := setupServiceControlCommand(cmd, ctx, cancel, false)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel)
 		if err != nil {
 			return err
 		}
@@ -158,7 +152,7 @@ var startCmd = &cobra.Command{
 	Short: "starts NetBird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(cmd.Context())
-		s, err := setupServiceControlCommand(cmd, ctx, cancel, false)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel)
 		if err != nil {
 			return err
 		}
@@ -176,7 +170,7 @@ var stopCmd = &cobra.Command{
 	Short: "stops NetBird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(cmd.Context())
-		s, err := setupServiceControlCommand(cmd, ctx, cancel, false)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel)
 		if err != nil {
 			return err
 		}
@@ -194,7 +188,7 @@ var restartCmd = &cobra.Command{
 	Short: "restarts NetBird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(cmd.Context())
-		s, err := setupServiceControlCommand(cmd, ctx, cancel, false)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel)
 		if err != nil {
 			return err
 		}
@@ -212,7 +206,7 @@ var svcStatusCmd = &cobra.Command{
 	Short: "shows NetBird service status",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(cmd.Context())
-		s, err := setupServiceControlCommand(cmd, ctx, cancel, true)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel)
 		if err != nil {
 			return err
 		}
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -11,7 +11,7 @@ import (
 	"go.opentelemetry.io/otel"
 	"google.golang.org/grpc"

-	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"
+	"github.com/netbirdio/management-integrations/integrations"

 	nbcache "github.com/netbirdio/netbird/management/server/cache"

@@ -109,7 +109,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		t.Fatal(err)
 	}

-	iv, _ := validator.NewIntegratedValidator(ctx, peersmanager, settingsManagerMock, eventStore, cacheStore)
+	iv, _ := integrations.NewIntegratedValidator(ctx, peersmanager, settingsManagerMock, eventStore, cacheStore)

 	metrics, err := telemetry.NewDefaultAppMetrics(ctx)
 	require.NoError(t, err)
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -361,6 +361,12 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 	if cmd.Flag(serverSSHAllowedFlag).Changed {
 		req.ServerSSHAllowed = &serverSSHAllowed
 	}
+	if cmd.Flag(serverVNCAllowedFlag).Changed {
+		req.ServerVNCAllowed = &serverVNCAllowed
+	}
+	if cmd.Flag(disableVNCApprovalFlag).Changed {
+		req.DisableVNCApproval = &disableVNCApproval
+	}
 	if cmd.Flag(enableSSHRootFlag).Changed {
 		req.EnableSSHRoot = &enableSSHRoot
 	}
@@ -467,30 +473,14 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 	if cmd.Flag(serverSSHAllowedFlag).Changed {
 		ic.ServerSSHAllowed = &serverSSHAllowed
 	}
-
-	if cmd.Flag(enableSSHRootFlag).Changed {
-		ic.EnableSSHRoot = &enableSSHRoot
+	if cmd.Flag(serverVNCAllowedFlag).Changed {
+		ic.ServerVNCAllowed = &serverVNCAllowed
+	}
+	if cmd.Flag(disableVNCApprovalFlag).Changed {
+		ic.DisableVNCApproval = &disableVNCApproval
 	}

-	if cmd.Flag(enableSSHSFTPFlag).Changed {
-		ic.EnableSSHSFTP = &enableSSHSFTP
-	}
-
-	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
-		ic.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
-	}
-
-	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
-		ic.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
-	}
-
-	if cmd.Flag(disableSSHAuthFlag).Changed {
-		ic.DisableSSHAuth = &disableSSHAuth
-	}
-
-	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
-		ic.SSHJWTCacheTTL = &sshJWTCacheTTL
-	}
+	applySSHFlagsToConfig(cmd, &ic)

 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
@@ -566,6 +556,49 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 	return &ic, nil
 }

+func applySSHFlagsToConfig(cmd *cobra.Command, ic *profilemanager.ConfigInput) {
+	if cmd.Flag(enableSSHRootFlag).Changed {
+		ic.EnableSSHRoot = &enableSSHRoot
+	}
+	if cmd.Flag(enableSSHSFTPFlag).Changed {
+		ic.EnableSSHSFTP = &enableSSHSFTP
+	}
+	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
+		ic.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
+	}
+	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
+		ic.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
+	}
+	if cmd.Flag(disableSSHAuthFlag).Changed {
+		ic.DisableSSHAuth = &disableSSHAuth
+	}
+	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
+		ic.SSHJWTCacheTTL = &sshJWTCacheTTL
+	}
+}
+
+func applySSHFlagsToLogin(cmd *cobra.Command, req *proto.LoginRequest) {
+	if cmd.Flag(enableSSHRootFlag).Changed {
+		req.EnableSSHRoot = &enableSSHRoot
+	}
+	if cmd.Flag(enableSSHSFTPFlag).Changed {
+		req.EnableSSHSFTP = &enableSSHSFTP
+	}
+	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
+		req.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
+	}
+	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
+		req.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
+	}
+	if cmd.Flag(disableSSHAuthFlag).Changed {
+		req.DisableSSHAuth = &disableSSHAuth
+	}
+	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
+		ttl := int32(sshJWTCacheTTL)
+		req.SshJWTCacheTTL = &ttl
+	}
+}
+
 func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte, cmd *cobra.Command) (*proto.LoginRequest, error) {
 	loginRequest := proto.LoginRequest{
 		SetupKey:            providedSetupKey,
@@ -595,31 +628,14 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 	if cmd.Flag(serverSSHAllowedFlag).Changed {
 		loginRequest.ServerSSHAllowed = &serverSSHAllowed
 	}
-
-	if cmd.Flag(enableSSHRootFlag).Changed {
-		loginRequest.EnableSSHRoot = &enableSSHRoot
+	if cmd.Flag(serverVNCAllowedFlag).Changed {
+		loginRequest.ServerVNCAllowed = &serverVNCAllowed
+	}
+	if cmd.Flag(disableVNCApprovalFlag).Changed {
+		loginRequest.DisableVNCApproval = &disableVNCApproval
 	}

-	if cmd.Flag(enableSSHSFTPFlag).Changed {
-		loginRequest.EnableSSHSFTP = &enableSSHSFTP
-	}
-
-	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
-		loginRequest.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
-	}
-
-	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
-		loginRequest.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
-	}
-
-	if cmd.Flag(disableSSHAuthFlag).Changed {
-		loginRequest.DisableSSHAuth = &disableSSHAuth
-	}
-
-	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
-		sshJWTCacheTTL32 := int32(sshJWTCacheTTL)
-		loginRequest.SshJWTCacheTTL = &sshJWTCacheTTL32
-	}
+	applySSHFlagsToLogin(cmd, &loginRequest)

 	if cmd.Flag(disableAutoConnectFlag).Changed {
 		loginRequest.DisableAutoConnect = &autoConnectDisabled
--- a/client/cmd/version.go
+++ b/client/cmd/version.go
@@ -12,13 +12,7 @@ var (
 		Short: "Print the NetBird's client application version",
 		Run: func(cmd *cobra.Command, args []string) {
 			cmd.SetOut(cmd.OutOrStdout())
-			out := version.NetbirdVersion()
-			if version.IsDevelopmentVersion(out) {
-				if commit := version.NetbirdCommit(); commit != "" {
-					out += "-" + commit
-				}
-			}
-			cmd.Println(out)
+			cmd.Println(version.NetbirdVersion())
 		},
 	}
 )
--- a/client/cmd/vnc_agent.go
+++ b/client/cmd/vnc_agent.go
@@ -0,0 +1,100 @@
+//go:build windows || (darwin && !ios)
+
+package cmd
+
+import (
+	"fmt"
+	"net"
+	"net/netip"
+	"os"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	vncserver "github.com/netbirdio/netbird/client/vnc/server"
+)
+
+var (
+	vncAgentSocket    string
+	vncAgentTargetUID uint32
+)
+
+func init() {
+	vncAgentCmd.Flags().StringVar(&vncAgentSocket, "socket", "", "Unix-domain socket path the agent listens on (required)")
+	vncAgentCmd.Flags().Uint32Var(&vncAgentTargetUID, "target-uid", 0, "uid the agent should drop privileges to before listening (darwin only; 0 = stay as current uid)")
+	rootCmd.AddCommand(vncAgentCmd)
+}
+
+// vncAgentCmd runs a VNC server inside the user's interactive session,
+// listening on a Unix-domain socket. The NetBird service spawns it: on
+// Windows via CreateProcessAsUser into the console session, on macOS via
+// launchctl asuser into the Aqua session.
+var vncAgentCmd = &cobra.Command{
+	Use:    "vnc-agent",
+	Short:  "Run VNC capture agent (internal, spawned by service)",
+	Hidden: true,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		log.SetReportCaller(true)
+		log.SetFormatter(&log.JSONFormatter{})
+		log.SetOutput(os.Stderr)
+
+		if vncAgentSocket == "" {
+			return fmt.Errorf("--socket is required")
+		}
+
+		token := os.Getenv("NB_VNC_AGENT_TOKEN")
+		if token == "" {
+			return fmt.Errorf("NB_VNC_AGENT_TOKEN not set; agent requires a token from the service")
+		}
+		// Purge the token from env so it doesn't leak via /proc/<pid>/environ.
+		if err := os.Unsetenv("NB_VNC_AGENT_TOKEN"); err != nil {
+			log.Debugf("unset NB_VNC_AGENT_TOKEN: %v", err)
+		}
+
+		// Drop root privileges to the target console user BEFORE creating
+		// the listening socket: keeps a post-auth bug in the encoder /
+		// input / capture paths confined to the user's own privileges
+		// rather than escalating to host root, and makes the daemon's
+		// LOCAL_PEERCRED check see the right uid. No-op on Windows
+		// (both processes run as SYSTEM) and when --target-uid is 0.
+		if vncAgentTargetUID != 0 {
+			if err := dropAgentPrivileges(vncAgentTargetUID); err != nil {
+				return fmt.Errorf("drop privileges to uid %d: %w", vncAgentTargetUID, err)
+			}
+		}
+
+		if err := os.Remove(vncAgentSocket); err != nil && !os.IsNotExist(err) {
+			log.Debugf("remove stale socket %s: %v", vncAgentSocket, err)
+		}
+		ln, err := net.Listen("unix", vncAgentSocket)
+		if err != nil {
+			return fmt.Errorf("listen on %s: %w", vncAgentSocket, err)
+		}
+		if err := os.Chmod(vncAgentSocket, 0o600); err != nil {
+			log.Debugf("chmod %s: %v", vncAgentSocket, err)
+		}
+
+		capturer, injector, err := newAgentResources()
+		if err != nil {
+			_ = ln.Close()
+			return err
+		}
+		srv := vncserver.New(vncserver.Config{
+			Capturer:      capturer,
+			Injector:      injector,
+			DisableAuth:   true,
+			AgentTokenHex: token,
+			Listener:      ln,
+		})
+
+		if err := srv.Start(cmd.Context(), netip.AddrPort{}, netip.Prefix{}); err != nil {
+			return fmt.Errorf("start vnc server: %w", err)
+		}
+		log.Infof("vnc-agent listening on %s, ready", vncAgentSocket)
+
+		<-cmd.Context().Done()
+		log.Info("vnc-agent context cancelled, shutting down")
+		return srv.Stop()
+	},
+	SilenceUsage: true,
+}
--- a/client/cmd/vnc_agent_darwin.go
+++ b/client/cmd/vnc_agent_darwin.go
@@ -0,0 +1,18 @@
+//go:build darwin && !ios
+
+package cmd
+
+import (
+	"fmt"
+
+	vncserver "github.com/netbirdio/netbird/client/vnc/server"
+)
+
+func newAgentResources() (vncserver.ScreenCapturer, vncserver.InputInjector, error) {
+	capturer := vncserver.NewMacPoller()
+	injector, err := vncserver.NewMacInputInjector()
+	if err != nil {
+		return nil, nil, fmt.Errorf("macOS input injector: %w", err)
+	}
+	return capturer, injector, nil
+}
--- a/client/cmd/vnc_agent_dropprivs_darwin.go
+++ b/client/cmd/vnc_agent_dropprivs_darwin.go
@@ -0,0 +1,50 @@
+//go:build darwin && !ios
+
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"syscall"
+)
+
+// dropAgentPrivileges drops the vnc-agent process from root (its
+// launchctl-asuser-inherited starting uid) to the target console user
+// before any other initialisation runs. Without this the agent runs as
+// root for the lifetime of the session; any post-auth memory-safety
+// issue in the capture/input/encode paths would then be a root-level
+// RCE on the host instead of a user-level one. Also makes the daemon's
+// LOCAL_PEERCRED check correctly identify the agent as the console user,
+// not as root.
+//
+// Returns an error when the agent is running as a non-root uid that
+// differs from targetUID: non-root can only setuid to itself, so a
+// mismatch here means the spawn went to the wrong session.
+func dropAgentPrivileges(targetUID uint32) error {
+	if targetUID == 0 {
+		return fmt.Errorf("refusing to keep agent running as root (target uid 0)")
+	}
+	cur := uint32(os.Getuid())
+	if cur == targetUID {
+		return nil
+	}
+	if cur != 0 {
+		return fmt.Errorf("agent uid %d does not match expected %d and we lack root to fix it", cur, targetUID)
+	}
+	// Drop supplementary groups first: setgid alone doesn't touch the
+	// auxiliary group list, leaving root's groups attached would let the
+	// dropped process write to root-only group-writable files.
+	if err := syscall.Setgroups([]int{}); err != nil {
+		return fmt.Errorf("setgroups([]): %w", err)
+	}
+	if err := syscall.Setgid(int(targetUID)); err != nil {
+		return fmt.Errorf("setgid(%d): %w", targetUID, err)
+	}
+	if err := syscall.Setuid(int(targetUID)); err != nil {
+		return fmt.Errorf("setuid(%d): %w", targetUID, err)
+	}
+	if uint32(os.Getuid()) != targetUID || uint32(os.Geteuid()) != targetUID {
+		return fmt.Errorf("setuid verification: uid=%d euid=%d, expected %d", os.Getuid(), os.Geteuid(), targetUID)
+	}
+	return nil
+}
--- a/client/cmd/vnc_agent_dropprivs_darwin_test.go
+++ b/client/cmd/vnc_agent_dropprivs_darwin_test.go
@@ -0,0 +1,55 @@
+//go:build darwin && !ios
+
+package cmd
+
+import (
+	"strings"
+	"testing"
+)
+
+// TestDropAgentPrivileges_RefusesRootTarget locks in the contract that
+// dropAgentPrivileges must never be a no-op when asked to keep the
+// agent as root (target uid 0). A future caller that passes 0 by
+// mistake would otherwise leave the post-auth attack surface running
+// with full root privileges.
+func TestDropAgentPrivileges_RefusesRootTarget(t *testing.T) {
+	err := dropAgentPrivileges(0)
+	if err == nil {
+		t.Fatal("expected refusal for target uid 0, got nil")
+	}
+	if !strings.Contains(err.Error(), "root") {
+		t.Fatalf("error should mention root, got: %v", err)
+	}
+}
+
+// TestDropAgentPrivileges_NoOpWhenAlreadyTarget covers the dev path
+// where the agent is launched by hand as the target user (no root
+// available, no setuid needed). The helper must succeed silently
+// instead of trying (and failing) a setuid to its current uid.
+func TestDropAgentPrivileges_NoOpWhenAlreadyTarget(t *testing.T) {
+	// Skip when running as root: the early-return path we want to
+	// cover only fires when current uid == target uid.
+	uid := currentUIDForTest()
+	if uid == 0 {
+		t.Skip("test must not run as root; cannot exercise the no-op early-return")
+	}
+	if err := dropAgentPrivileges(uid); err != nil {
+		t.Fatalf("expected no-op when current uid == target, got: %v", err)
+	}
+}
+
+// TestDropAgentPrivileges_RefusesMismatchedNonRoot guards the "non-root
+// caller tries to setuid to a different uid" path: setuid would fail
+// with EPERM anyway, but the helper should surface a clear error
+// before issuing the syscall so a misconfigured spawn (wrong --target-uid
+// flag) is debuggable.
+func TestDropAgentPrivileges_RefusesMismatchedNonRoot(t *testing.T) {
+	uid := currentUIDForTest()
+	if uid == 0 {
+		t.Skip("test must not run as root; covered case requires non-root caller")
+	}
+	err := dropAgentPrivileges(uid + 1)
+	if err == nil {
+		t.Fatal("expected refusal when non-root caller asks to setuid elsewhere")
+	}
+}
--- a/client/cmd/vnc_agent_dropprivs_testhelpers_darwin.go
+++ b/client/cmd/vnc_agent_dropprivs_testhelpers_darwin.go
@@ -0,0 +1,11 @@
+//go:build darwin && !ios
+
+package cmd
+
+import "os"
+
+// currentUIDForTest exposes os.Getuid for the darwin dropprivs tests
+// without leaking an os import into the test file itself.
+func currentUIDForTest() uint32 {
+	return uint32(os.Getuid())
+}
--- a/client/cmd/vnc_agent_dropprivs_windows.go
+++ b/client/cmd/vnc_agent_dropprivs_windows.go
@@ -0,0 +1,14 @@
+//go:build windows
+
+package cmd
+
+// dropAgentPrivileges is a no-op on Windows: the agent and the daemon
+// both run as SYSTEM (the daemon spawns the agent into the interactive
+// session via CreateProcessAsUser with an impersonation token, but the
+// resulting process still runs under SYSTEM, not under the user's
+// account). The Windows path relies on the C:\Windows\Temp socket
+// location (admin/SYSTEM-write-only) and the per-spawn token for
+// integrity instead.
+func dropAgentPrivileges(_ uint32) error {
+	return nil
+}
--- a/client/cmd/vnc_agent_windows.go
+++ b/client/cmd/vnc_agent_windows.go
@@ -0,0 +1,15 @@
+//go:build windows
+
+package cmd
+
+import (
+	log "github.com/sirupsen/logrus"
+
+	vncserver "github.com/netbirdio/netbird/client/vnc/server"
+)
+
+func newAgentResources() (vncserver.ScreenCapturer, vncserver.InputInjector, error) {
+	sessionID := vncserver.GetCurrentSessionID()
+	log.Infof("VNC agent running in Windows session %d", sessionID)
+	return vncserver.NewDesktopCapturer(), vncserver.NewWindowsInputInjector(), nil
+}
--- a/client/cmd/vnc_flags.go
+++ b/client/cmd/vnc_flags.go
@@ -0,0 +1,16 @@
+package cmd
+
+const (
+	serverVNCAllowedFlag   = "allow-server-vnc"
+	disableVNCApprovalFlag = "disable-vnc-approval"
+)
+
+var (
+	serverVNCAllowed   bool
+	disableVNCApproval bool
+)
+
+func init() {
+	upCmd.PersistentFlags().BoolVar(&serverVNCAllowed, serverVNCAllowedFlag, false, "Allow embedded VNC server on peer")
+	upCmd.PersistentFlags().BoolVar(&disableVNCApproval, disableVNCApprovalFlag, false, "Disable per-connection user approval prompts for the embedded VNC server")
+}
--- a/client/configs/configs.go
+++ b/client/configs/configs.go
@@ -6,19 +6,30 @@ import (
 	"runtime"
 )

-var StateDir string
+var (
+	// StateDir holds persistent state (config, profiles, install metadata).
+	StateDir string
+	// RuntimeDir holds ephemeral artifacts that should not survive reboot,
+	// such as Unix sockets for daemon and per-session IPC. Empty on
+	// platforms without a conventional /var/run-style location.
+	RuntimeDir string
+)

 func init() {
-	StateDir = os.Getenv("NB_STATE_DIR")
-	if StateDir != "" {
-		return
-	}
 	switch runtime.GOOS {
 	case "windows":
 		StateDir = filepath.Join(os.Getenv("PROGRAMDATA"), "Netbird")
 	case "darwin", "linux":
 		StateDir = "/var/lib/netbird"
+		RuntimeDir = "/var/run/netbird"
 	case "freebsd", "openbsd", "netbsd", "dragonfly":
 		StateDir = "/var/db/netbird"
+		RuntimeDir = "/var/run/netbird"
+	}
+	if v := os.Getenv("NB_STATE_DIR"); v != "" {
+		StateDir = v
+	}
+	if v := os.Getenv("NB_RUNTIME_DIR"); v != "" {
+		RuntimeDir = v
 	}
 }
--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -12,7 +12,6 @@ import (
 	"sync"

 	"github.com/sirupsen/logrus"
-	wgdevice "golang.zx2c4.com/wireguard/device"
 	wgnetstack "golang.zx2c4.com/wireguard/tun/netstack"

 	"github.com/netbirdio/netbird/client/iface"
@@ -85,12 +84,6 @@ type Options struct {
 	DisableIPv6 bool
 	// BlockInbound blocks all inbound connections from peers
 	BlockInbound bool
-	// BlockLANAccess blocks the embedded peer from reaching the host's
-	// LAN (RFC 1918, link-local, loopback) when it's used as a routing
-	// peer. Mirrors profilemanager.ConfigInput.BlockLANAccess. Useful
-	// when the embedded client must never act as a stepping stone into
-	// the host's local network (e.g. the proxy's overlay peer).
-	BlockLANAccess bool
 	// WireguardPort is the port for the tunnel interface. Use 0 for a random port.
 	WireguardPort *int
 	// MTU is the MTU for the tunnel interface.
@@ -101,26 +94,6 @@ type Options struct {
 	MTU *uint16
 	// DNSLabels defines additional DNS labels configured in the peer.
 	DNSLabels []string
-	// Performance configures the tunnel's buffer pool cap and batch size.
-	Performance Performance
-}
-
-// Performance configures the embedded client's tunnel memory/throughput knobs.
-//
-// These settings are process-global: any non-nil field also becomes the
-// default for Clients constructed by later embed.New calls in the same
-// process. Nil fields are ignored.
-type Performance struct {
-	// PreallocatedBuffersPerPool caps the per-tunnel buffer pool. Zero
-	// leaves the pool unbounded. Lower values trade throughput for a
-	// tighter memory ceiling. May also be changed on a running Client via
-	// Client.SetPerformance, provided this field was nonzero at construction.
-	PreallocatedBuffersPerPool *uint32
-	// MaxBatchSize overrides the number of packets the tunnel reads or
-	// writes per syscall, which also bounds eager buffer allocation per
-	// worker. Zero uses the platform default. Applied at construction
-	// only; ignored by Client.SetPerformance.
-	MaxBatchSize *uint32
 }

 // validateCredentials checks that exactly one credential type is provided
@@ -202,7 +175,6 @@ func New(opts Options) (*Client, error) {
 		DisableClientRoutes: &opts.DisableClientRoutes,
 		DisableIPv6:         &opts.DisableIPv6,
 		BlockInbound:        &opts.BlockInbound,
-		BlockLANAccess:      &opts.BlockLANAccess,
 		WireguardPort:       opts.WireguardPort,
 		MTU:                 opts.MTU,
 		DNSLabels:           parsedLabels,
@@ -220,13 +192,6 @@ func New(opts Options) (*Client, error) {
 		config.PrivateKey = opts.PrivateKey
 	}

-	if opts.Performance.PreallocatedBuffersPerPool != nil {
-		wgdevice.SetPreallocatedBuffersPerPool(*opts.Performance.PreallocatedBuffersPerPool)
-	}
-	if opts.Performance.MaxBatchSize != nil {
-		wgdevice.SetMaxBatchSizeOverride(*opts.Performance.MaxBatchSize)
-	}
-
 	return &Client{
 		deviceName: opts.DeviceName,
 		setupKey:   opts.SetupKey,
@@ -440,21 +405,6 @@ func (c *Client) Expose(ctx context.Context, req ExposeRequest) (*ExposeSession,
 	}, nil
 }

-// IdentityForIP looks up a remote peer by its tunnel IP using the
-// embedded client's status recorder. Returns the peer's WireGuard public
-// key and FQDN. ok=false means the IP isn't in this client's peer
-// roster — callers should treat that as "unknown peer".
-func (c *Client) IdentityForIP(ip netip.Addr) (pubKey, fqdn string, ok bool) {
-	if !ip.IsValid() || c.recorder == nil {
-		return "", "", false
-	}
-	state, found := c.recorder.PeerStateByIP(ip.String())
-	if !found {
-		return "", "", false
-	}
-	return state.PubKey, state.FQDN, true
-}
-
 // Status returns the current status of the client.
 func (c *Client) Status() (peer.FullStatus, error) {
 	c.mu.Lock()
@@ -523,25 +473,6 @@ func (c *Client) VerifySSHHostKey(peerAddress string, key []byte) error {
 	return sshcommon.VerifyHostKey(storedKey, key, peerAddress)
 }

-// SetPerformance retunes a running Client. Only PreallocatedBuffersPerPool
-// takes effect, and only when it was nonzero at construction;
-// MaxBatchSize is construction-only and returns an error if set here.
-//
-// Returns ErrClientNotStarted / ErrEngineNotStarted if the Client is not
-// running yet.
-func (c *Client) SetPerformance(t Performance) error {
-	if t.MaxBatchSize != nil {
-		return errors.New("MaxBatchSize is construction-only and cannot be changed at runtime")
-	}
-	engine, err := c.getEngine()
-	if err != nil {
-		return err
-	}
-	return engine.SetPerformance(internal.Performance{
-		PreallocatedBuffersPerPool: t.PreallocatedBuffersPerPool,
-	})
-}
-
 // StartCapture begins capturing packets on this client's tunnel device.
 // Only one capture can be active at a time; starting a new one stops the previous.
 // Call StopCapture (or CaptureSession.Stop) to end it.
--- a/client/firewall/nftables/external_chain_monitor_linux.go
+++ b/client/firewall/nftables/external_chain_monitor_linux.go
@@ -52,10 +52,9 @@ func (m *externalChainMonitor) start() {

 	ctx, cancel := context.WithCancel(context.Background())
 	m.cancel = cancel
-	done := make(chan struct{})
-	m.done = done
+	m.done = make(chan struct{})

-	go m.run(ctx, done)
+	go m.run(ctx)
 }

 func (m *externalChainMonitor) stop() {
@@ -73,8 +72,8 @@ func (m *externalChainMonitor) stop() {
 	<-done
 }

-func (m *externalChainMonitor) run(ctx context.Context, done chan struct{}) {
-	defer close(done)
+func (m *externalChainMonitor) run(ctx context.Context) {
+	defer close(m.done)

 	bo := &backoff.ExponentialBackOff{
 		InitialInterval:     externalMonitorInitInterval,
--- a/client/firewall/uspfilter/forwarder/icmp.go
+++ b/client/firewall/uspfilter/forwarder/icmp.go
@@ -362,10 +362,6 @@ func (f *Forwarder) injectICMPv6Reply(id stack.TransportEndpointID, icmpPayload
 		return 0
 	}

-	if pc := f.endpoint.capture.Load(); pc != nil {
-		(*pc).Offer(fullPacket, true)
-	}
-
 	return len(fullPacket)
 }

--- a/client/installer.nsis
+++ b/client/installer.nsis
@@ -260,15 +260,23 @@ WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "Publisher" "${COMP_NAME}"

 WriteRegStr ${REG_ROOT} "${UI_REG_APP_PATH}" "" "$INSTDIR\${UI_APP_EXE}"

-; Create autostart registry entry based on checkbox
+; Drop Run, App Paths and Uninstall entries left in the 32-bit registry view
+; or HKCU by legacy installers.
+DetailPrint "Cleaning legacy 32-bit / HKCU entries..."
+DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+SetRegView 32
+DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+DeleteRegKey HKLM "${REG_APP_PATH}"
+DeleteRegKey HKLM "${UI_REG_APP_PATH}"
+DeleteRegKey HKLM "${UNINSTALL_PATH}"
+SetRegView 64
+
 DetailPrint "Autostart enabled: $AutostartEnabled"
 ${If} $AutostartEnabled == "1"
    WriteRegStr HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}" '"$INSTDIR\${UI_APP_EXE}.exe"'
    DetailPrint "Added autostart registry entry: $INSTDIR\${UI_APP_EXE}.exe"
 ${Else}
    DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-    ; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
-    DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
    DetailPrint "Autostart not enabled by user"
 ${EndIf}

@@ -299,11 +307,16 @@ ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service uninstall'
 DetailPrint "Terminating Netbird UI process..."
 ExecWait `taskkill /im ${UI_APP_EXE}.exe /f`

-; Remove autostart registry entry
+; Remove autostart entries from every view a previous installer may have used.
 DetailPrint "Removing autostart registry entry if exists..."
 DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
 DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+SetRegView 32
+DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+DeleteRegKey HKLM "${REG_APP_PATH}"
+DeleteRegKey HKLM "${UI_REG_APP_PATH}"
+DeleteRegKey HKLM "${UNINSTALL_PATH}"
+SetRegView 64

 ; Handle data deletion based on checkbox
 DetailPrint "Checking if user requested data deletion..."
--- a/client/internal/approval/broker.go
+++ b/client/internal/approval/broker.go
@@ -0,0 +1,219 @@
+// Package approval brokers per-attempt user-accept prompts for inbound
+// remote access (VNC today, SSH and others in the future). A caller pushes
+// a Prompt; the broker emits a SystemEvent on the daemon→UI stream and
+// blocks until the UI calls the daemon's RespondApproval RPC, the per-
+// request timeout fires, or no subscriber is connected. The latter case
+// fails closed so a backgrounded UI cannot silently bypass the gate.
+package approval
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/google/uuid"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+// Metadata keys the broker reserves on the emitted SystemEvent. Callers
+// should not set these themselves; values in Prompt.Metadata that collide
+// are overwritten by the broker.
+const (
+	MetaRequestID = "request_id"
+	MetaKind      = "kind"
+	MetaExpiresAt = "expires_at"
+)
+
+// ShortKeyFingerprint formats a hex-encoded Noise_IK static pubkey as a
+// short, eyeball-able fingerprint to display in the approval dialog.
+// The dashboard-supplied display name attached to a SessionPubKey isn't
+// cryptographically asserted by the connecting client, so the prompt
+// must also show something that IS: the key fingerprint, a hash of
+// the static public key the client just proved possession of during the
+// Noise handshake. Returns the empty string when the input is too short
+// to plausibly be a hex pubkey, so the row is omitted rather than
+// rendered as a misleading partial.
+//
+// Output format: 16 hex chars grouped as XXXX-XXXX-XXXX-XXXX (64 bits of
+// fingerprint, resistant to random-prefix collisions and easy for a human
+// to compare with an out-of-band reference).
+func ShortKeyFingerprint(hexKey string) string {
+	if len(hexKey) < 8 {
+		return ""
+	}
+	src := hexKey
+	if len(src) > 16 {
+		src = src[:16]
+	}
+	var out []byte
+	for i, c := range src {
+		if i > 0 && i%4 == 0 {
+			out = append(out, '-')
+		}
+		out = append(out, byte(c))
+	}
+	return string(out)
+}
+
+// Kind values for the well-known prompt subjects. New subsystems should
+// add a constant here so the UI can dispatch on a known string.
+const (
+	KindVNC = "vnc"
+	KindSSH = "ssh"
+)
+
+// DefaultTimeout is the wall-clock window the user has to accept or deny a
+// pending approval before the broker fails closed and returns ErrTimeout.
+// Kept well under typical VNC client and dashboard connection timeouts so
+// the RFB rejection actually reaches the browser instead of racing the
+// browser's own "connection timed out" message.
+const DefaultTimeout = 15 * time.Second
+
+// timeoutValue returns the active timeout. It's a var so tests in this
+// package can shorten the wait without exposing a setter on the public
+// API. Production code always sees DefaultTimeout.
+var timeoutValue = func() time.Duration { return DefaultTimeout }
+
+// ErrNoSubscriber indicates no UI is connected to consume the prompt.
+// The caller must reject the underlying connection (fail-closed).
+var ErrNoSubscriber = errors.New("no UI subscriber connected for approval")
+
+// ErrTimeout indicates the user did not respond within DefaultTimeout.
+var ErrTimeout = errors.New("approval timed out")
+
+// ErrDenied indicates the user explicitly denied the connection.
+var ErrDenied = errors.New("approval denied")
+
+// EventPublisher is the subset of peer.Status used to emit prompts.
+type EventPublisher interface {
+	PublishEvent(
+		severity proto.SystemEvent_Severity,
+		category proto.SystemEvent_Category,
+		msg string,
+		userMsg string,
+		metadata map[string]string,
+	)
+	HasEventSubscribers() bool
+}
+
+// Prompt describes the pending request shown to the user. Kind selects
+// the UI dispatch path (e.g. "vnc", "ssh"). Subject is the human-readable
+// one-liner the UI may show as a title or notification body. Metadata is
+// passed through verbatim and is the subsystem-specific payload (peer
+// name, source IP, mode, etc.).
+type Prompt struct {
+	Kind     string
+	Subject  string
+	Metadata map[string]string
+}
+
+// Decision carries the user's response to an approval prompt. ViewOnly is
+// only meaningful when Accept is true; it lets the host grant the
+// connection but signal the requester that input control is withheld.
+type Decision struct {
+	Accept   bool
+	ViewOnly bool
+}
+
+// Broker holds in-flight approval requests keyed by request ID.
+type Broker struct {
+	pub EventPublisher
+
+	mu      sync.Mutex
+	pending map[string]chan Decision
+}
+
+// New returns a broker that publishes prompts via pub.
+func New(pub EventPublisher) *Broker {
+	return &Broker{
+		pub:     pub,
+		pending: make(map[string]chan Decision),
+	}
+}
+
+// Request emits a SystemEvent for p and blocks until the UI calls Respond,
+// ctx is cancelled, or DefaultTimeout elapses. Returns a Decision when
+// the user replied; ErrDenied / ErrTimeout / ErrNoSubscriber / ctx.Err
+// otherwise. Callers must treat any non-nil error as a deny.
+func (b *Broker) Request(ctx context.Context, p Prompt) (Decision, error) {
+	var zero Decision
+	if b == nil || b.pub == nil {
+		return zero, fmt.Errorf("approval broker not configured")
+	}
+	if !b.pub.HasEventSubscribers() {
+		return zero, ErrNoSubscriber
+	}
+
+	id := uuid.NewString()
+	resp := make(chan Decision, 1)
+
+	b.mu.Lock()
+	b.pending[id] = resp
+	b.mu.Unlock()
+
+	defer b.dropPending(id)
+
+	timeout := timeoutValue()
+	expiresAt := time.Now().Add(timeout)
+	meta := make(map[string]string, len(p.Metadata)+3)
+	for k, v := range p.Metadata {
+		meta[k] = v
+	}
+	meta[MetaRequestID] = id
+	meta[MetaKind] = p.Kind
+	meta[MetaExpiresAt] = expiresAt.UTC().Format(time.RFC3339)
+
+	subject := p.Subject
+	if subject == "" {
+		subject = fmt.Sprintf("%s connection requires approval", p.Kind)
+	}
+	b.pub.PublishEvent(proto.SystemEvent_INFO, proto.SystemEvent_APPROVAL, subject, subject, meta)
+	log.Debugf("approval request %s (%s) emitted: %s", id, p.Kind, subject)
+
+	timer := time.NewTimer(timeout)
+	defer timer.Stop()
+
+	select {
+	case d := <-resp:
+		if !d.Accept {
+			return zero, ErrDenied
+		}
+		return d, nil
+	case <-timer.C:
+		return zero, ErrTimeout
+	case <-ctx.Done():
+		return zero, ctx.Err()
+	}
+}
+
+// Respond delivers the user's decision for id. Returns true when a pending
+// request matched and was woken, false when id was unknown or already done.
+func (b *Broker) Respond(id string, d Decision) bool {
+	if b == nil {
+		return false
+	}
+	b.mu.Lock()
+	ch, ok := b.pending[id]
+	if ok {
+		delete(b.pending, id)
+	}
+	b.mu.Unlock()
+	if !ok {
+		return false
+	}
+	select {
+	case ch <- d:
+	default:
+	}
+	return true
+}
+
+func (b *Broker) dropPending(id string) {
+	b.mu.Lock()
+	delete(b.pending, id)
+	b.mu.Unlock()
+}
--- a/client/internal/approval/broker_test.go
+++ b/client/internal/approval/broker_test.go
@@ -0,0 +1,434 @@
+package approval
+
+import (
+	"context"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+// fakePublisher records published events and reports whether subscribers
+// are connected. The subscribers flag is the security-critical signal:
+// when false the broker must refuse to emit and the gate must fail closed.
+type fakePublisher struct {
+	mu          sync.Mutex
+	subscribers bool
+	events      []*proto.SystemEvent
+}
+
+func (p *fakePublisher) PublishEvent(
+	severity proto.SystemEvent_Severity,
+	category proto.SystemEvent_Category,
+	msg string,
+	userMsg string,
+	metadata map[string]string,
+) {
+	p.mu.Lock()
+	p.events = append(p.events, &proto.SystemEvent{
+		Severity:    severity,
+		Category:    category,
+		Message:     msg,
+		UserMessage: userMsg,
+		Metadata:    metadata,
+	})
+	p.mu.Unlock()
+}
+
+func (p *fakePublisher) HasEventSubscribers() bool {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	return p.subscribers
+}
+
+func (p *fakePublisher) lastEvent(t *testing.T) *proto.SystemEvent {
+	t.Helper()
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	require.NotEmpty(t, p.events, "publisher saw no events")
+	return p.events[len(p.events)-1]
+}
+
+func (p *fakePublisher) eventCount() int {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	return len(p.events)
+}
+
+// TestRequestNoSubscriberFailsClosed is the core fail-closed invariant:
+// when the UI is not subscribed, the broker must refuse without emitting
+// an event or arming a waiter. A regression here is a silent bypass.
+func TestRequestNoSubscriberFailsClosed(t *testing.T) {
+	pub := &fakePublisher{subscribers: false}
+	b := New(pub)
+
+	_, err := b.Request(context.Background(), Prompt{Kind: KindVNC, Subject: "test"})
+	assert.ErrorIs(t, err, ErrNoSubscriber)
+	assert.Equal(t, 0, pub.eventCount(), "no event must be emitted when fail-closed")
+
+	b.mu.Lock()
+	pending := len(b.pending)
+	b.mu.Unlock()
+	assert.Equal(t, 0, pending, "no waiter must be registered on fail-closed")
+}
+
+// TestRequestTimeoutDenies verifies that a request without a UI response
+// returns ErrTimeout (deny) rather than nil (silent accept). Uses a short
+// per-test broker timeout via Respond after the fact to keep the test fast.
+func TestRequestTimeoutDenies(t *testing.T) {
+	// Replace DefaultTimeout for the lifetime of this test.
+	orig := DefaultTimeout
+	defaultTimeout(t, 60*time.Millisecond)
+	defer defaultTimeout(t, orig)
+
+	pub := &fakePublisher{subscribers: true}
+	b := New(pub)
+
+	start := time.Now()
+	_, err := b.Request(context.Background(), Prompt{Kind: KindVNC, Subject: "test"})
+	assert.ErrorIs(t, err, ErrTimeout, "missing user response must yield ErrTimeout, not nil")
+	assert.GreaterOrEqual(t, time.Since(start), 50*time.Millisecond, "timeout fired prematurely")
+}
+
+// TestRequestDenied returns ErrDenied when the UI responds with false.
+func TestRequestDenied(t *testing.T) {
+	pub := &fakePublisher{subscribers: true}
+	b := New(pub)
+
+	var requestID string
+	done := make(chan error, 1)
+	go func() {
+		done <- requestErr(b, context.Background(), Prompt{Kind: KindVNC, Subject: "test"})
+	}()
+
+	requestID = waitForRequestID(t, pub)
+	require.True(t, b.Respond(requestID, Decision{Accept: false}))
+
+	select {
+	case err := <-done:
+		assert.ErrorIs(t, err, ErrDenied)
+	case <-time.After(time.Second):
+		t.Fatal("Request did not return after Respond(false)")
+	}
+}
+
+// TestRequestAccepted is the happy path. Failure here doesn't bypass the
+// gate but breaks the feature.
+func TestRequestAccepted(t *testing.T) {
+	pub := &fakePublisher{subscribers: true}
+	b := New(pub)
+
+	done := make(chan error, 1)
+	go func() {
+		done <- requestErr(b, context.Background(), Prompt{Kind: KindVNC, Subject: "test"})
+	}()
+
+	id := waitForRequestID(t, pub)
+	require.True(t, b.Respond(id, Decision{Accept: true}))
+
+	select {
+	case err := <-done:
+		assert.NoError(t, err)
+	case <-time.After(time.Second):
+		t.Fatal("Request did not return after Respond(true)")
+	}
+}
+
+// TestRequestCtxCancelDenies verifies that an upstream cancel (e.g. the
+// engine shutting down mid-prompt) returns the cancel error rather than
+// nil. A nil here would be a silent bypass on shutdown races.
+func TestRequestCtxCancelDenies(t *testing.T) {
+	pub := &fakePublisher{subscribers: true}
+	b := New(pub)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	done := make(chan error, 1)
+	go func() {
+		done <- requestErr(b, ctx, Prompt{Kind: KindVNC, Subject: "test"})
+	}()
+
+	// Wait until the prompt is in flight so cancel races a live waiter.
+	_ = waitForRequestID(t, pub)
+	cancel()
+
+	select {
+	case err := <-done:
+		assert.ErrorIs(t, err, context.Canceled)
+	case <-time.After(time.Second):
+		t.Fatal("Request did not return after ctx cancel")
+	}
+}
+
+// TestRespondUnknownIsNoop ensures a stray RespondApproval RPC cannot
+// affect or accidentally accept any in-flight request whose id it doesn't
+// match. Also confirms it doesn't panic.
+func TestRespondUnknownIsNoop(t *testing.T) {
+	pub := &fakePublisher{subscribers: true}
+	b := New(pub)
+
+	// No in-flight prompts: Respond returns false.
+	assert.False(t, b.Respond("does-not-exist", Decision{Accept: true}))
+
+	// With an in-flight prompt, a wrong id still returns false and the
+	// prompt remains armed (eventually timing out as a deny).
+	defaultTimeout(t, 60*time.Millisecond)
+	defer defaultTimeout(t, DefaultTimeout)
+
+	done := make(chan error, 1)
+	go func() {
+		done <- requestErr(b, context.Background(), Prompt{Kind: KindVNC})
+	}()
+	realID := waitForRequestID(t, pub)
+	assert.False(t, b.Respond("totally-bogus", Decision{Accept: true}), "unknown id must not match")
+	assert.NotEqual(t, "totally-bogus", realID)
+
+	select {
+	case err := <-done:
+		assert.ErrorIs(t, err, ErrTimeout, "armed prompt must still time out, not accept")
+	case <-time.After(time.Second):
+		t.Fatal("prompt did not resolve")
+	}
+}
+
+// TestRespondAfterTimeoutNoop confirms a late accept response can't
+// retroactively flip a denied (timed-out) request. The dropPending defer
+// in Request must have removed the entry by the time Respond races in.
+func TestRespondAfterTimeoutNoop(t *testing.T) {
+	defaultTimeout(t, 30*time.Millisecond)
+	defer defaultTimeout(t, DefaultTimeout)
+
+	pub := &fakePublisher{subscribers: true}
+	b := New(pub)
+
+	done := make(chan error, 1)
+	go func() {
+		done <- requestErr(b, context.Background(), Prompt{Kind: KindVNC})
+	}()
+	id := waitForRequestID(t, pub)
+
+	select {
+	case err := <-done:
+		require.ErrorIs(t, err, ErrTimeout)
+	case <-time.After(time.Second):
+		t.Fatal("prompt did not time out")
+	}
+
+	assert.False(t, b.Respond(id, Decision{Accept: true}), "late respond must be no-op")
+}
+
+// TestRespondDoubleNoop ensures a duplicate ack from the UI doesn't leak
+// past the matched waiter or panic on a closed/full channel.
+func TestRespondDoubleNoop(t *testing.T) {
+	pub := &fakePublisher{subscribers: true}
+	b := New(pub)
+
+	done := make(chan error, 1)
+	go func() {
+		done <- requestErr(b, context.Background(), Prompt{Kind: KindVNC})
+	}()
+	id := waitForRequestID(t, pub)
+	require.True(t, b.Respond(id, Decision{Accept: true}))
+	assert.False(t, b.Respond(id, Decision{Accept: false}), "second response must be no-op")
+
+	select {
+	case err := <-done:
+		assert.NoError(t, err)
+	case <-time.After(time.Second):
+		t.Fatal("prompt did not resolve")
+	}
+}
+
+// TestNilBrokerRequestErrors guards the engine pre-init path where the
+// broker may not yet exist (or its publisher is nil): Request must
+// error, never silently accept.
+func TestNilBrokerRequestErrors(t *testing.T) {
+	var b *Broker
+	_, err := b.Request(context.Background(), Prompt{Kind: KindVNC})
+	assert.Error(t, err, "nil broker must error, never silently accept")
+
+	b2 := New(nil)
+	_, err = b2.Request(context.Background(), Prompt{Kind: KindVNC})
+	assert.Error(t, err, "broker with nil publisher must error, never silently accept")
+}
+
+// TestPromptMetadataInjected confirms the broker stamps request_id, kind,
+// and expires_at on the emitted event. The UI relies on these keys; if
+// they are dropped, the user cannot route the prompt and the response
+// path breaks (which fails closed via timeout).
+func TestPromptMetadataInjected(t *testing.T) {
+	pub := &fakePublisher{subscribers: true}
+	b := New(pub)
+
+	done := make(chan error, 1)
+	go func() {
+		done <- requestErr(b, context.Background(), Prompt{
+			Kind:     KindVNC,
+			Subject:  "VNC connection from peerA",
+			Metadata: map[string]string{"peer_name": "peerA"},
+		})
+	}()
+
+	id := waitForRequestID(t, pub)
+	ev := pub.lastEvent(t)
+
+	assert.Equal(t, proto.SystemEvent_APPROVAL, ev.Category)
+	assert.Equal(t, KindVNC, ev.Metadata[MetaKind])
+	assert.Equal(t, id, ev.Metadata[MetaRequestID])
+	assert.NotEmpty(t, ev.Metadata[MetaExpiresAt])
+	assert.Equal(t, "peerA", ev.Metadata["peer_name"], "caller metadata must pass through")
+
+	require.True(t, b.Respond(id, Decision{Accept: true}))
+	<-done
+}
+
+// TestConcurrentRequests verifies that two concurrent prompts are tracked
+// independently. A bug that aliases ids would let one Respond unblock
+// the wrong waiter (a silent accept across prompts).
+func TestConcurrentRequests(t *testing.T) {
+	pub := &fakePublisher{subscribers: true}
+	b := New(pub)
+
+	const n = 20
+	results := make(chan error, n)
+	for i := 0; i < n; i++ {
+		go func() {
+			results <- requestErr(b, context.Background(), Prompt{Kind: KindVNC})
+		}()
+	}
+
+	ids := waitForNRequestIDs(t, pub, n)
+	require.Len(t, ids, n)
+
+	// Deny exactly half, accept the rest. Track outcome per id so we can
+	// match each Request's return value against the response we sent.
+	denySet := make(map[string]bool, n)
+	for i, id := range ids {
+		deny := i%2 == 0
+		denySet[id] = deny
+		require.True(t, b.Respond(id, Decision{Accept: !deny}))
+	}
+
+	// Collect all returns and check no nil errors slipped past a deny.
+	var accepted, denied atomic.Int32
+	for i := 0; i < n; i++ {
+		select {
+		case err := <-results:
+			if err == nil {
+				accepted.Add(1)
+			} else {
+				assert.ErrorIs(t, err, ErrDenied)
+				denied.Add(1)
+			}
+		case <-time.After(2 * time.Second):
+			t.Fatalf("only got %d/%d responses", i, n)
+		}
+	}
+	assert.Equal(t, int32(n/2), denied.Load())
+	assert.Equal(t, int32(n/2), accepted.Load())
+}
+
+// waitForRequestID blocks until the publisher sees its next event and
+// returns the request_id stamped on it.
+func waitForRequestID(t *testing.T, pub *fakePublisher) string {
+	t.Helper()
+	deadline := time.Now().Add(2 * time.Second)
+	for time.Now().Before(deadline) {
+		pub.mu.Lock()
+		count := len(pub.events)
+		var id string
+		if count > 0 {
+			id = pub.events[count-1].Metadata[MetaRequestID]
+		}
+		pub.mu.Unlock()
+		if id != "" {
+			return id
+		}
+		time.Sleep(2 * time.Millisecond)
+	}
+	t.Fatal("timeout waiting for emitted event")
+	return ""
+}
+
+func waitForNRequestIDs(t *testing.T, pub *fakePublisher, n int) []string {
+	t.Helper()
+	deadline := time.Now().Add(2 * time.Second)
+	for time.Now().Before(deadline) {
+		pub.mu.Lock()
+		count := len(pub.events)
+		pub.mu.Unlock()
+		if count >= n {
+			break
+		}
+		time.Sleep(2 * time.Millisecond)
+	}
+	pub.mu.Lock()
+	defer pub.mu.Unlock()
+	out := make([]string, 0, len(pub.events))
+	seen := make(map[string]struct{}, len(pub.events))
+	for _, ev := range pub.events {
+		id := ev.Metadata[MetaRequestID]
+		if id == "" {
+			continue
+		}
+		if _, dup := seen[id]; dup {
+			continue
+		}
+		seen[id] = struct{}{}
+		out = append(out, id)
+	}
+	if len(out) < n {
+		t.Fatalf("only got %d/%d request ids", len(out), n)
+	}
+	return out
+}
+
+// defaultTimeout swaps the broker's per-request wall-clock window so the
+// timeout tests run quickly. Restores the prior value on the next call.
+func defaultTimeout(t *testing.T, d time.Duration) {
+	t.Helper()
+	if d <= 0 {
+		t.Fatal("defaultTimeout must be > 0")
+	}
+	timeoutValue = func() time.Duration { return d }
+}
+
+// requestErr wraps Broker.Request to drop the Decision when tests only
+// care about the error path. Keeps the goroutine bodies tight.
+func requestErr(b *Broker, ctx context.Context, p Prompt) error {
+	_, err := b.Request(ctx, p)
+	return err
+}
+
+// TestRequestViewOnly checks the view-only outcome flows through Request's
+// Decision return without being silently swallowed.
+func TestRequestViewOnly(t *testing.T) {
+	pub := &fakePublisher{subscribers: true}
+	b := New(pub)
+
+	type result struct {
+		d   Decision
+		err error
+	}
+	done := make(chan result, 1)
+	go func() {
+		d, err := b.Request(context.Background(), Prompt{Kind: KindVNC})
+		done <- result{d, err}
+	}()
+
+	id := waitForRequestID(t, pub)
+	require.True(t, b.Respond(id, Decision{Accept: true, ViewOnly: true}))
+
+	select {
+	case r := <-done:
+		assert.NoError(t, r.err)
+		assert.True(t, r.d.Accept)
+		assert.True(t, r.d.ViewOnly, "ViewOnly must survive the round-trip")
+	case <-time.After(time.Second):
+		t.Fatal("view-only request did not resolve")
+	}
+}
--- a/client/internal/approval/fingerprint_test.go
+++ b/client/internal/approval/fingerprint_test.go
@@ -0,0 +1,62 @@
+package approval
+
+import "testing"
+
+// TestShortKeyFingerprint locks in the format the VNC approval prompt
+// shows to the user. The fingerprint is the user's only cryptographic
+// anchor against a malicious management server that pushes a spoofed
+// display name, so accidental changes to its format would silently
+// undermine that defence.
+func TestShortKeyFingerprint(t *testing.T) {
+	cases := []struct {
+		name string
+		in   string
+		want string
+	}{
+		{
+			name: "full_32_byte_pubkey",
+			in:   "0123456789abcdeffedcba9876543210ffeeddccbbaa99887766554433221100",
+			want: "0123-4567-89ab-cdef",
+		},
+		{
+			name: "exactly_16_chars",
+			in:   "0123456789abcdef",
+			want: "0123-4567-89ab-cdef",
+		},
+		{
+			name: "borderline_8_chars",
+			in:   "01234567",
+			want: "0123-4567",
+		},
+		{
+			name: "too_short_returns_empty",
+			in:   "0123",
+			want: "",
+		},
+		{
+			name: "empty_returns_empty",
+			in:   "",
+			want: "",
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := ShortKeyFingerprint(tc.in)
+			if got != tc.want {
+				t.Fatalf("ShortKeyFingerprint(%q) = %q, want %q", tc.in, got, tc.want)
+			}
+		})
+	}
+}
+
+// TestShortKeyFingerprint_DistinctKeysDistinctOutputs guards against a
+// formatting bug that would collapse different prefixes onto the same
+// displayed fingerprint and let an attacker substitute their pubkey for
+// a victim's while keeping the prompt visually identical.
+func TestShortKeyFingerprint_DistinctKeysDistinctOutputs(t *testing.T) {
+	a := ShortKeyFingerprint("0123456789abcdef" + "rest_of_pubkey_ignored")
+	b := ShortKeyFingerprint("0123456789abcde0" + "rest_of_pubkey_ignored")
+	if a == b {
+		t.Fatalf("expected distinct outputs for distinct prefixes, both = %q", a)
+	}
+}
--- a/client/internal/auth/auth.go
+++ b/client/internal/auth/auth.go
@@ -315,6 +315,7 @@ func (a *Auth) setSystemInfoFlags(info *system.Info) {
 		a.config.RosenpassEnabled,
 		a.config.RosenpassPermissive,
 		a.config.ServerSSHAllowed,
+		a.config.ServerVNCAllowed,
 		a.config.DisableClientRoutes,
 		a.config.DisableServerRoutes,
 		a.config.DisableDNS,
--- a/client/internal/auth/pkce_flow.go
+++ b/client/internal/auth/pkce_flow.go
@@ -360,13 +360,7 @@ func isRedirectURLPortUsed(redirectURL string, excludedRanges []excludedPortRang
 		return true
 	}

-	// FreeBSD 15 disables connecting to INADDR_ANY (0.0.0.0) as a localhost
-	// alias by default, ensure explicit ip for localhost.
-	host := parsedURL.Hostname()
-	if host == "" {
-		host = "127.0.0.1"
-	}
-	addr := net.JoinHostPort(host, port)
+	addr := fmt.Sprintf(":%s", port)
 	conn, err := net.DialTimeout("tcp", addr, 3*time.Second)
 	if err != nil {
 		return false
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
-	"path/filepath"
 	"runtime"
 	"runtime/debug"
 	"strings"
@@ -347,11 +346,6 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			return wrapErr(err)
 		}
 		engineConfig.TempDir = mobileDependency.TempDir
-		// Leave StateDir empty when there is no state path so a disk-backed
-		// syncstore falls back to os.TempDir() instead of filepath.Dir("") == ".".
-		if path != "" {
-			engineConfig.StateDir = filepath.Dir(path)
-		}

 		relayManager := relayClient.NewManager(engineCtx, relayURLs, myPrivateKey.PublicKey().String(), engineConfig.MTU)
 		c.statusRecorder.SetRelayMgr(relayManager)
@@ -568,6 +562,8 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 		RosenpassEnabled:              config.RosenpassEnabled,
 		RosenpassPermissive:           config.RosenpassPermissive,
 		ServerSSHAllowed:              util.ReturnBoolWithDefaultTrue(config.ServerSSHAllowed),
+		ServerVNCAllowed:              config.ServerVNCAllowed != nil && *config.ServerVNCAllowed,
+		DisableVNCApproval:            config.DisableVNCApproval,
 		EnableSSHRoot:                 config.EnableSSHRoot,
 		EnableSSHSFTP:                 config.EnableSSHSFTP,
 		EnableSSHLocalPortForwarding:  config.EnableSSHLocalPortForwarding,
@@ -650,6 +646,7 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.RosenpassEnabled,
 		config.RosenpassPermissive,
 		config.ServerSSHAllowed,
+		config.ServerVNCAllowed,
 		config.DisableClientRoutes,
 		config.DisableServerRoutes,
 		config.DisableDNS,
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@@ -254,8 +254,6 @@ type BundleGenerator struct {
 	capturePath    string
 	refreshStatus  func() // Optional callback to refresh status before bundle generation
 	clientMetrics  MetricsExporter
-	daemonVersion  string
-	cliVersion     string

 	anonymize         bool
 	includeSystemInfo bool
@@ -280,8 +278,6 @@ type GeneratorDependencies struct {
 	CapturePath    string
 	RefreshStatus  func()
 	ClientMetrics  MetricsExporter
-	DaemonVersion  string
-	CliVersion     string
 }

 func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGenerator {
@@ -303,8 +299,6 @@ func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGen
 		capturePath:    deps.CapturePath,
 		refreshStatus:  deps.RefreshStatus,
 		clientMetrics:  deps.ClientMetrics,
-		daemonVersion:  deps.DaemonVersion,
-		cliVersion:     deps.CliVersion,

 		anonymize:         cfg.Anonymize,
 		includeSystemInfo: cfg.IncludeSystemInfo,
@@ -465,11 +459,9 @@ func (g *BundleGenerator) addStatus() error {
 		protoFullStatus := nbstatus.ToProtoFullStatus(fullStatus)
 		protoFullStatus.Events = g.statusRecorder.GetEventHistory()
 		overview := nbstatus.ConvertToStatusOutputOverview(protoFullStatus, nbstatus.ConvertOptions{
-			Anonymize:     g.anonymize,
-			ProfileName:   profName,
-			DaemonVersion: g.daemonVersion,
+			Anonymize:   g.anonymize,
+			ProfileName: profName,
 		})
-		overview.CliVersion = g.cliVersion
 		statusOutput := overview.FullDetailSummary()

 		statusReader := strings.NewReader(statusOutput)
@@ -644,6 +636,12 @@ func (g *BundleGenerator) addCommonConfigFields(configContent *strings.Builder)
 	if g.internalConfig.SSHJWTCacheTTL != nil {
 		configContent.WriteString(fmt.Sprintf("SSHJWTCacheTTL: %d\n", *g.internalConfig.SSHJWTCacheTTL))
 	}
+	if g.internalConfig.ServerVNCAllowed != nil {
+		configContent.WriteString(fmt.Sprintf("ServerVNCAllowed: %v\n", *g.internalConfig.ServerVNCAllowed))
+	}
+	if g.internalConfig.DisableVNCApproval != nil {
+		configContent.WriteString(fmt.Sprintf("DisableVNCApproval: %v\n", *g.internalConfig.DisableVNCApproval))
+	}

 	configContent.WriteString(fmt.Sprintf("DisableClientRoutes: %v\n", g.internalConfig.DisableClientRoutes))
 	configContent.WriteString(fmt.Sprintf("DisableServerRoutes: %v\n", g.internalConfig.DisableServerRoutes))
@@ -806,8 +804,6 @@ func (g *BundleGenerator) addSyncResponse() error {
 		AllowPartial:    true,
 	}

-	g.maskSecrets()
-
 	jsonBytes, err := options.Marshal(g.syncResponse)
 	if err != nil {
 		return fmt.Errorf("generate json: %w", err)
@@ -820,27 +816,6 @@ func (g *BundleGenerator) addSyncResponse() error {
 	return nil
 }

-func (g *BundleGenerator) maskSecrets() {
-	if g.syncResponse == nil || g.syncResponse.NetbirdConfig == nil {
-		return
-	}
-
-	if g.syncResponse.NetbirdConfig.Flow != nil {
-		g.syncResponse.NetbirdConfig.Flow.TokenPayload = maskedValue
-
-	}
-
-	if g.syncResponse.NetbirdConfig.Relay != nil {
-		g.syncResponse.NetbirdConfig.Relay.TokenPayload = maskedValue
-	}
-
-	for i := range g.syncResponse.NetbirdConfig.Turns {
-		if g.syncResponse.NetbirdConfig.Turns[i] != nil {
-			g.syncResponse.NetbirdConfig.Turns[i].Password = maskedValue
-		}
-	}
-}
-
 func (g *BundleGenerator) addStateFile() error {
 	sm := profilemanager.NewServiceManager("")
 	path := sm.GetStatePath()
@@ -1070,8 +1045,7 @@ func (g *BundleGenerator) addRotatedLogFiles(logDir string) {
 		return
 	}

-	// This regex will match both logs rotated by us and logrotate on linux
-	pattern := filepath.Join(logDir, "client*.log.*")
+	pattern := filepath.Join(logDir, "client-*.log.gz")
 	files, err := filepath.Glob(pattern)
 	if err != nil {
 		log.Warnf("failed to glob rotated logs: %v", err)
@@ -1104,12 +1078,7 @@ func (g *BundleGenerator) addRotatedLogFiles(logDir string) {

 	for i := 0; i < maxFiles; i++ {
 		name := filepath.Base(files[i])
-		if strings.HasSuffix(name, ".gz") {
-			err = g.addSingleLogFileGz(files[i], name)
-		} else {
-			err = g.addSingleLogfile(files[i], name)
-		}
-		if err != nil {
+		if err := g.addSingleLogFileGz(files[i], name); err != nil {
 			log.Warnf("failed to add rotated log %s: %v", name, err)
 		}
 	}
--- a/client/internal/debug/debug_logfiles_test.go
+++ b/client/internal/debug/debug_logfiles_test.go
@@ -1,103 +0,0 @@
-package debug
-
-import (
-	"archive/zip"
-	"bytes"
-	"compress/gzip"
-	"io"
-	"os"
-	"path/filepath"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-)
-
-// TestAddRotatedLogFiles_PicksUpAllVariants asserts that the rotated-log
-// glob picks up logs rotated by timberjack (gzipped) and by logrotate (plain
-// and gzipped), and skips unrelated files.
-func TestAddRotatedLogFiles_PicksUpAllVariants(t *testing.T) {
-	dir := t.TempDir()
-
-	writeFile(t, filepath.Join(dir, "client.log"), "active log\n")
-	writeFile(t, filepath.Join(dir, "other.log"), "unrelated\n")
-
-	timberjackRotated := "client-2026-05-21T10-30-45.000.log.gz"
-	writeGzFile(t, filepath.Join(dir, timberjackRotated), "timberjack rotated content\n")
-
-	logrotatePlain := "client.log.1"
-	writeFile(t, filepath.Join(dir, logrotatePlain), "logrotate plain content\n")
-
-	logrotateGz := "client.log.2.gz"
-	writeGzFile(t, filepath.Join(dir, logrotateGz), "logrotate gz content\n")
-
-	names := runAddRotatedLogFiles(t, dir, 10)
-
-	require.Contains(t, names, timberjackRotated, "timberjack rotated file should be in bundle")
-	require.Contains(t, names, logrotatePlain, "logrotate plain rotated file should be in bundle")
-	require.Contains(t, names, logrotateGz, "logrotate gzipped rotated file should be in bundle")
-	require.NotContains(t, names, "client.log", "active log should not be added by addRotatedLogFiles")
-	require.NotContains(t, names, "other.log", "unrelated files should not be in bundle")
-}
-
-// TestAddRotatedLogFiles_RespectsLogFileCount asserts that only the newest
-// logFileCount rotated files are bundled, ordered by mtime.
-func TestAddRotatedLogFiles_RespectsLogFileCount(t *testing.T) {
-	dir := t.TempDir()
-
-	oldest := filepath.Join(dir, "client.log.3")
-	middle := filepath.Join(dir, "client.log.2")
-	newest := filepath.Join(dir, "client.log.1")
-	writeFile(t, oldest, "old\n")
-	writeFile(t, middle, "mid\n")
-	writeFile(t, newest, "new\n")
-
-	now := time.Now()
-	require.NoError(t, os.Chtimes(oldest, now.Add(-2*time.Hour), now.Add(-2*time.Hour)))
-	require.NoError(t, os.Chtimes(middle, now.Add(-1*time.Hour), now.Add(-1*time.Hour)))
-	require.NoError(t, os.Chtimes(newest, now, now))
-
-	names := runAddRotatedLogFiles(t, dir, 2)
-
-	require.Contains(t, names, "client.log.1")
-	require.Contains(t, names, "client.log.2")
-	require.NotContains(t, names, "client.log.3", "oldest file should be dropped when logFileCount=2")
-}
-
-// runAddRotatedLogFiles calls addRotatedLogFiles against a fresh in-memory
-// zip writer and returns the set of entry names that ended up in the archive.
-func runAddRotatedLogFiles(t *testing.T, dir string, logFileCount uint32) map[string]struct{} {
-	t.Helper()
-
-	var buf bytes.Buffer
-	g := &BundleGenerator{
-		archive:      zip.NewWriter(&buf),
-		logFileCount: logFileCount,
-	}
-	g.addRotatedLogFiles(dir)
-	require.NoError(t, g.archive.Close())
-
-	zr, err := zip.NewReader(bytes.NewReader(buf.Bytes()), int64(buf.Len()))
-	require.NoError(t, err)
-
-	names := make(map[string]struct{}, len(zr.File))
-	for _, f := range zr.File {
-		names[f.Name] = struct{}{}
-	}
-	return names
-}
-
-func writeFile(t *testing.T, path, content string) {
-	t.Helper()
-	require.NoError(t, os.WriteFile(path, []byte(content), 0o644))
-}
-
-func writeGzFile(t *testing.T, path, content string) {
-	t.Helper()
-	var buf bytes.Buffer
-	gw := gzip.NewWriter(&buf)
-	_, err := io.WriteString(gw, content)
-	require.NoError(t, err)
-	require.NoError(t, gw.Close())
-	require.NoError(t, os.WriteFile(path, buf.Bytes(), 0o644))
-}
--- a/client/internal/debug/debug_test.go
+++ b/client/internal/debug/debug_test.go
@@ -843,7 +843,6 @@ func TestAddConfig_AllFieldsCovered(t *testing.T) {
 		"PreSharedKey":      "sensitive: WireGuard pre-shared key",
 		"SSHKey":            "sensitive: SSH private key",
 		"ClientCertKeyPair": "non-config: parsed cert pair, not serialized",
-		"policy":            "non-config: in-memory MDM policy snapshot, surfaced via Config.Policy() / GetConfigResponse.MDMManagedFields",
 	}

 	mURL, _ := url.Parse("https://api.example.com:443")
@@ -863,6 +862,8 @@ func TestAddConfig_AllFieldsCovered(t *testing.T) {
 		RosenpassEnabled:              true,
 		RosenpassPermissive:           true,
 		ServerSSHAllowed:              &bTrue,
+		ServerVNCAllowed:              &bTrue,
+		DisableVNCApproval:            &bTrue,
 		EnableSSHRoot:                 &bTrue,
 		EnableSSHSFTP:                 &bTrue,
 		EnableSSHLocalPortForwarding:  &bTrue,
--- a/client/internal/dns/handler_chain.go
+++ b/client/internal/dns/handler_chain.go
@@ -339,7 +339,8 @@ func (c *HandlerChain) isHandlerMatch(qname string, entry HandlerEntry) bool {
 	case entry.Pattern == ".":
 		return true
 	case entry.IsWildcard:
-		return strings.HasSuffix(qname, "."+entry.Pattern)
+		parts := strings.Split(strings.TrimSuffix(qname, entry.Pattern), ".")
+		return len(parts) >= 2 && strings.HasSuffix(qname, entry.Pattern)
 	default:
 		// For non-wildcard patterns:
 		// If handler wants subdomain matching, allow suffix match
--- a/client/internal/dns/handler_chain_test.go
+++ b/client/internal/dns/handler_chain_test.go
@@ -164,54 +164,6 @@ func TestHandlerChain_ServeDNS_DomainMatching(t *testing.T) {
 			matchSubdomains: true,
 			shouldMatch:     true,
 		},
-		{
-			name:            "wildcard label-boundary mismatch (suffix overlap)",
-			handlerDomain:   "*.b.test.",
-			queryDomain:     "x.ab.test.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     false,
-		},
-		{
-			name:            "wildcard label-boundary match",
-			handlerDomain:   "*.b.test.",
-			queryDomain:     "x.b.test.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     true,
-		},
-		{
-			name:            "wildcard multi-label match",
-			handlerDomain:   "*.b.test.",
-			queryDomain:     "x.y.b.test.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     true,
-		},
-		{
-			name:            "wildcard no match on multi-label apex",
-			handlerDomain:   "*.b.test.",
-			queryDomain:     "b.test.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     false,
-		},
-		{
-			name:            "wildcard no match on unrelated suffix containment",
-			handlerDomain:   "*.example.com.",
-			queryDomain:     "notexample.com.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     false,
-		},
-		{
-			name:            "wildcard accepts pattern registered without trailing dot",
-			handlerDomain:   "*.b.test",
-			queryDomain:     "x.b.test.",
-			isWildcard:      true,
-			matchSubdomains: false,
-			shouldMatch:     true,
-		},
 	}

 	for _, tt := range tests {
@@ -321,19 +273,6 @@ func TestHandlerChain_ServeDNS_OverlappingDomains(t *testing.T) {
 			expectedCalls:   1,
 			expectedHandler: 2, // highest priority matching handler should be called
 		},
-		{
-			name: "overlapping wildcard suffixes route to correct handler",
-			handlers: []struct {
-				pattern  string
-				priority int
-			}{
-				{pattern: "*.b.test.", priority: nbdns.PriorityDNSRoute},
-				{pattern: "*.ab.test.", priority: nbdns.PriorityDNSRoute},
-			},
-			queryDomain:     "app.ab.test.",
-			expectedCalls:   1,
-			expectedHandler: 1,
-		},
 		{
 			name: "root zone with specific domain",
 			handlers: []struct {
--- a/client/internal/dns/local/local.go
+++ b/client/internal/dns/local/local.go
@@ -26,19 +26,6 @@ type resolver interface {
 	LookupNetIP(ctx context.Context, network, host string) ([]netip.Addr, error)
 }

-// PeerConnectivity reports whether a tunnel IP belongs to a peer the
-// client knows about and whether that peer is currently connected. The
-// local resolver uses this to suppress A/AAAA answers whose RDATA points
-// at a disconnected peer (typical case: a synthesized private-service
-// record pointing at an embedded proxy peer that just went offline).
-//
-// known=false means the IP isn't in the local peerstore at all — the
-// record is left alone (it points at something outside our mesh, e.g.
-// a non-peer upstream).
-type PeerConnectivity interface {
-	IsConnectedByIP(ip string) (known, connected bool)
-}
-
 type Resolver struct {
 	mu      sync.RWMutex
 	records map[dns.Question][]dns.RR
@@ -46,11 +33,6 @@ type Resolver struct {
 	// zones maps zone domain -> NonAuthoritative (true = non-authoritative, user-created zone)
 	zones    map[domain.Domain]bool
 	resolver resolver
-	// peerConn, when non-nil, is consulted on every A/AAAA answer to
-	// drop records pointing at disconnected peers. nil disables the
-	// filter and preserves the legacy "return whatever is registered"
-	// behaviour for callers that never wire a status source.
-	peerConn PeerConnectivity

 	ctx    context.Context
 	cancel context.CancelFunc
@@ -67,15 +49,6 @@ func NewResolver() *Resolver {
 	}
 }

-// SetPeerConnectivity wires the per-IP connectivity check used to filter
-// out A/AAAA answers pointing at disconnected peers. Pass nil to disable.
-// Safe to call multiple times; the latest value wins.
-func (d *Resolver) SetPeerConnectivity(p PeerConnectivity) {
-	d.mu.Lock()
-	defer d.mu.Unlock()
-	d.peerConn = p
-}
-
 func (d *Resolver) MatchSubdomains() bool {
 	return true
 }
@@ -122,7 +95,6 @@ func (d *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	replyMessage.RecursionAvailable = true

 	result := d.lookupRecords(logger, question)
-	result.records = d.filterDisconnectedPeerAnswers(logger, question, result.records)
 	replyMessage.Authoritative = !result.hasExternalData
 	replyMessage.Answer = result.records
 	replyMessage.Rcode = d.determineRcode(question, result)
@@ -464,78 +436,6 @@ func (d *Resolver) logDNSError(logger *log.Entry, hostname string, qtype uint16,
 	}
 }

-// filterDisconnectedPeerAnswers drops A/AAAA records whose RDATA matches
-// a known but disconnected peer. The synthesized private-service zones
-// emit one A record per connected proxy peer in a cluster; when a peer
-// goes offline, the server-side refresh removes the record from the
-// next netmap, but the client may still hold the previous netmap for a
-// short window. This filter is the local belt to that braces — even on
-// the stale netmap, the resolver hides the offline target.
-//
-// Records pointing at unknown IPs (outside the local peerstore, e.g.
-// non-mesh upstreams) are never dropped. Non-A/AAAA records pass
-// through untouched.
-//
-// Escape hatch: if filtering would leave the answer empty AND at least
-// one record was filtered, the original list is returned. Better to
-// hand the client a record that may not respond than NXDOMAIN it
-// completely when every proxy peer is offline (the upstream may still
-// be reachable some other way, or the peerstore may be stale).
-func (d *Resolver) filterDisconnectedPeerAnswers(logger *log.Entry, question dns.Question, records []dns.RR) []dns.RR {
-	if len(records) == 0 {
-		return records
-	}
-	d.mu.RLock()
-	checker := d.peerConn
-	d.mu.RUnlock()
-	if checker == nil {
-		return records
-	}
-
-	kept := make([]dns.RR, 0, len(records))
-	var dropped int
-	for _, rr := range records {
-		ip := extractRecordIP(rr)
-		if ip == "" {
-			kept = append(kept, rr)
-			continue
-		}
-		known, connected := checker.IsConnectedByIP(ip)
-		if known && !connected {
-			dropped++
-			continue
-		}
-		kept = append(kept, rr)
-	}
-	if dropped == 0 {
-		return records
-	}
-	if len(kept) == 0 {
-		logger.Debugf("all %d answers for %s point at disconnected peers; returning the original list", dropped, question.Name)
-		return records
-	}
-	logger.Tracef("dropped %d disconnected-peer answer(s) for %s, returning %d", dropped, question.Name, len(kept))
-	return kept
-}
-
-// extractRecordIP returns the dotted-decimal / colon-hex IP carried by
-// an A or AAAA record, or "" for any other record type.
-func extractRecordIP(rr dns.RR) string {
-	switch r := rr.(type) {
-	case *dns.A:
-		if r.A == nil {
-			return ""
-		}
-		return r.A.String()
-	case *dns.AAAA:
-		if r.AAAA == nil {
-			return ""
-		}
-		return r.AAAA.String()
-	}
-	return ""
-}
-
 // Update replaces all zones and their records
 func (d *Resolver) Update(customZones []nbdns.CustomZone) {
 	d.mu.Lock()
--- a/client/internal/dns/local/local_test.go
+++ b/client/internal/dns/local/local_test.go
@@ -30,21 +30,6 @@ func (m *mockResolver) LookupNetIP(ctx context.Context, network, host string) ([
 	return nil, nil
 }

-// mockPeerConnectivity returns canned (known, connected) results per IP.
-// Used by the disconnected-peer filter tests below. IPs not in the map
-// are reported as unknown so the filter leaves them alone.
-type mockPeerConnectivity struct {
-	byIP map[string]struct{ known, connected bool }
-}
-
-func (m mockPeerConnectivity) IsConnectedByIP(ip string) (known, connected bool) {
-	v, ok := m.byIP[ip]
-	if !ok {
-		return false, false
-	}
-	return v.known, v.connected
-}
-
 func TestLocalResolver_ServeDNS(t *testing.T) {
 	recordA := nbdns.SimpleRecord{
 		Name:  "peera.netbird.cloud.",
@@ -2667,114 +2652,3 @@ func BenchmarkIsInManagedZone_ManyZones(b *testing.B) {
 		resolver.isInManagedZone(qname)
 	}
 }
-
-// TestLocalResolver_FilterDisconnectedPeerAnswers verifies the
-// connectivity-aware filtering layered on top of lookupRecords:
-// when an A record's IP belongs to a known peer that's disconnected,
-// the record is dropped from the answer. Records for unknown IPs pass
-// through. If filtering would empty the answer entirely and at least
-// one record was dropped, the original list is restored (escape hatch
-// for the "all proxies offline" case).
-func TestLocalResolver_FilterDisconnectedPeerAnswers(t *testing.T) {
-	zone := "svc.cluster.netbird."
-	connectedRec := nbdns.SimpleRecord{
-		Name:  zone,
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   5,
-		RData: "100.64.0.10",
-	}
-	disconnectedRec := nbdns.SimpleRecord{
-		Name:  zone,
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   5,
-		RData: "100.64.0.11",
-	}
-	unknownRec := nbdns.SimpleRecord{
-		Name:  zone,
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   5,
-		RData: "203.0.113.5",
-	}
-
-	type ipState struct{ known, connected bool }
-	tests := []struct {
-		name        string
-		records     []nbdns.SimpleRecord
-		connByIP    map[string]ipState
-		wantInOrder []string
-	}{
-		{
-			name:    "drops disconnected peer, keeps connected",
-			records: []nbdns.SimpleRecord{connectedRec, disconnectedRec},
-			connByIP: map[string]ipState{
-				"100.64.0.10": {known: true, connected: true},
-				"100.64.0.11": {known: true, connected: false},
-			},
-			wantInOrder: []string{"100.64.0.10"},
-		},
-		{
-			name:    "unknown IPs pass through untouched",
-			records: []nbdns.SimpleRecord{unknownRec, disconnectedRec},
-			connByIP: map[string]ipState{
-				"100.64.0.11": {known: true, connected: false},
-			},
-			wantInOrder: []string{"203.0.113.5"},
-		},
-		{
-			name:    "all disconnected falls back to original list",
-			records: []nbdns.SimpleRecord{disconnectedRec, connectedRec},
-			connByIP: map[string]ipState{
-				"100.64.0.10": {known: true, connected: false},
-				"100.64.0.11": {known: true, connected: false},
-			},
-			wantInOrder: []string{"100.64.0.11", "100.64.0.10"},
-		},
-		{
-			name:        "no checker wired returns all records",
-			records:     []nbdns.SimpleRecord{connectedRec, disconnectedRec},
-			connByIP:    nil,
-			wantInOrder: []string{"100.64.0.10", "100.64.0.11"},
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			resolver := NewResolver()
-			if tc.connByIP != nil {
-				cm := mockPeerConnectivity{byIP: make(map[string]struct{ known, connected bool }, len(tc.connByIP))}
-				for ip, st := range tc.connByIP {
-					cm.byIP[ip] = struct{ known, connected bool }{st.known, st.connected}
-				}
-				resolver.SetPeerConnectivity(cm)
-			}
-			resolver.Update([]nbdns.CustomZone{{
-				Domain:           strings.TrimSuffix(zone, "."),
-				Records:          tc.records,
-				NonAuthoritative: true,
-			}})
-
-			var got *dns.Msg
-			writer := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					got = m
-					return nil
-				},
-			}
-			req := new(dns.Msg).SetQuestion(zone, dns.TypeA)
-			resolver.ServeDNS(writer, req)
-
-			require.NotNil(t, got, "resolver must produce a response")
-			require.Len(t, got.Answer, len(tc.wantInOrder),
-				"answer count must match expected: %v", tc.wantInOrder)
-			for i, want := range tc.wantInOrder {
-				a, ok := got.Answer[i].(*dns.A)
-				require.True(t, ok, "answer[%d] must be an A record", i)
-				assert.Equal(t, want, a.A.String(),
-					"answer[%d] expected %s got %s", i, want, a.A.String())
-			}
-		})
-	}
-}
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -301,11 +301,6 @@ func newDefaultServer(
 		warningDelayBase:  defaultWarningDelayBase,
 		healthRefresh:     make(chan struct{}, 1),
 	}
-	// Wire the local resolver against the peer status recorder so it can
-	// suppress A/AAAA answers that point at disconnected peers (typical
-	// case: synthesised private-service records pointing at an embedded
-	// proxy peer that just went offline).
-	defaultServer.localResolver.SetPeerConnectivity(localPeerConnectivity{statusRecorder})

 	// register with root zone, handler chain takes care of the routing
 	dnsService.RegisterMux(".", handlerChain)
@@ -1391,25 +1386,3 @@ func (s *DefaultServer) PopulateManagementDomain(mgmtURL *url.URL) error {
 	}
 	return nil
 }
-
-// localPeerConnectivity adapts *peer.Status to local.PeerConnectivity so
-// the local resolver can ask "is this IP a known peer and is it
-// connected?" without taking on the peer package as a dependency.
-// A nil status recorder always reports known=false so the resolver
-// short-circuits to the legacy "return everything" path.
-type localPeerConnectivity struct {
-	status *peer.Status
-}
-
-// IsConnectedByIP looks the IP up in the peerstore and surfaces both
-// the known and connected bits. Used by Resolver.filterDisconnectedPeerAnswers.
-func (l localPeerConnectivity) IsConnectedByIP(ip string) (known, connected bool) {
-	if l.status == nil {
-		return false, false
-	}
-	state, ok := l.status.PeerStateByIP(ip)
-	if !ok {
-		return false, false
-	}
-	return true, state.ConnStatus == peer.StatusConnected
-}
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -22,6 +22,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/protobuf/proto"

 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/firewall"
@@ -34,6 +35,7 @@ import (
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/acl"
+	"github.com/netbirdio/netbird/client/internal/approval"
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
@@ -55,7 +57,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	"github.com/netbirdio/netbird/client/internal/syncstore"
 	"github.com/netbirdio/netbird/client/internal/updater"
 	"github.com/netbirdio/netbird/client/jobexec"
 	cProto "github.com/netbirdio/netbird/client/proto"
@@ -72,7 +73,6 @@ import (
 	sProto "github.com/netbirdio/netbird/shared/signal/proto"
 	"github.com/netbirdio/netbird/util"
 	"github.com/netbirdio/netbird/util/capture"
-	"github.com/netbirdio/netbird/version"
 )

 // PeerConnectionTimeoutMax is a timeout of an initial connection attempt to a remote peer.
@@ -124,6 +124,8 @@ type EngineConfig struct {
 	RosenpassPermissive bool

 	ServerSSHAllowed              bool
+	ServerVNCAllowed              bool
+	DisableVNCApproval            *bool
 	EnableSSHRoot                 *bool
 	EnableSSHSFTP                 *bool
 	EnableSSHLocalPortForwarding  *bool
@@ -149,10 +151,6 @@ type EngineConfig struct {

 	LogPath string
 	TempDir string
-
-	// StateDir is the directory holding the state file. The sync response
-	// (network map) is serialized here on platforms that persist it to disk.
-	StateDir string
 }

 // EngineServices holds the external service dependencies required by the Engine.
@@ -209,7 +207,9 @@ type Engine struct {

 	networkMonitor *networkmonitor.NetworkMonitor

-	sshServer sshServer
+	sshServer      sshServer
+	vncSrv         vncServer
+	approvalBroker *approval.Broker

 	statusRecorder *peer.Status

@@ -231,15 +231,10 @@ type Engine struct {

 	afpacketCapture *capture.AFPacketCapture

-	// Sync response persistence (protected by syncRespMux).
-	// syncStore is nil unless persistence has been enabled; its presence is
-	// what marks persistence as active. The backend (disk or memory) is
-	// selected per-platform; see the syncstore package. syncStoreDir is where
-	// a disk-backed store serializes to.
-	syncRespMux  sync.RWMutex
-	syncStore    syncstore.Store
-	syncStoreDir string
-
+	// Sync response persistence (protected by syncRespMux)
+	syncRespMux         sync.RWMutex
+	persistSyncResponse bool
+	latestSyncResponse  *mgmProto.SyncResponse
 	flowManager         nftypes.FlowManager

 	// auto-update
@@ -295,6 +290,7 @@ func NewEngine(
 		TURNs:              []*stun.URI{},
 		networkSerial:      0,
 		statusRecorder:     services.StatusRecorder,
+		approvalBroker:     approval.New(services.StatusRecorder),
 		stateManager:       services.StateManager,
 		portForwardManager: portforward.NewManager(),
 		checks:             services.Checks,
@@ -302,7 +298,6 @@ func NewEngine(
 		jobExecutor:        jobexec.NewExecutor(),
 		clientMetrics:      services.ClientMetrics,
 		updateManager:      services.UpdateManager,
-		syncStoreDir:       config.StateDir,
 	}

 	log.Infof("I am: %s", config.WgPrivateKey.PublicKey().String())
@@ -331,6 +326,10 @@ func (e *Engine) Stop() error {
 		log.Warnf("failed to stop SSH server: %v", err)
 	}

+	if err := e.stopVNCServer(); err != nil {
+		log.Warnf("failed to stop VNC server: %v", err)
+	}
+
 	e.cleanupSSHConfig()

 	if e.ingressGatewayMgr != nil {
@@ -924,19 +923,20 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	}

 	// Persist sync response under the dedicated lock (syncRespMux), not under syncMsgMux.
-	// A non-nil syncStore is what marks persistence as enabled. Hold the lock for
-	// the whole Set so the store cannot be cleared (disabled / engine close)
-	// mid-call and have this write resurrect a file that was just removed.
+	// Read the storage-enabled flag under the syncRespMux too.
 	e.syncRespMux.RLock()
-	if e.syncStore != nil {
-		if err := e.syncStore.Set(update); err != nil {
-			log.Errorf("failed to persist sync response: %v", err)
-		} else {
-			log.Debugf("sync response persisted with serial %d", nm.GetSerial())
-		}
-	}
+	enabled := e.persistSyncResponse
 	e.syncRespMux.RUnlock()

+	// Store sync response if persistence is enabled
+	if enabled {
+		e.syncRespMux.Lock()
+		e.latestSyncResponse = update
+		e.syncRespMux.Unlock()
+
+		log.Debugf("sync response persisted with serial %d", nm.GetSerial())
+	}
+
 	// only apply new changes and ignore old ones
 	if err := e.updateNetworkMap(nm); err != nil {
 		return err
@@ -1020,6 +1020,7 @@ func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
 		e.config.RosenpassEnabled,
 		e.config.RosenpassPermissive,
 		&e.config.ServerSSHAllowed,
+		&e.config.ServerVNCAllowed,
 		e.config.DisableClientRoutes,
 		e.config.DisableServerRoutes,
 		e.config.DisableDNS,
@@ -1067,13 +1068,16 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 		}
 	}

+	if err := e.updateVNC(); err != nil {
+		log.Warnf("failed handling VNC server setup: %v", err)
+	}
+
 	state := e.statusRecorder.GetLocalPeerState()
 	state.IP = e.wgInterface.Address().String()
 	state.IPv6 = e.wgInterface.Address().IPv6String()
 	state.PubKey = e.config.WgPrivateKey.PublicKey().String()
 	state.KernelInterface = !e.wgInterface.IsUserspaceBind()
 	state.FQDN = conf.GetFqdn()
-	state.WgPort = e.config.WgPort

 	e.statusRecorder.UpdateLocalPeerState(state)

@@ -1152,7 +1156,6 @@ func (e *Engine) handleBundle(params *mgmProto.BundleParameters) (*mgmProto.JobR
 		LogPath:        e.config.LogPath,
 		TempDir:        e.config.TempDir,
 		ClientMetrics:  e.clientMetrics,
-		DaemonVersion:  version.NetbirdVersion(),
 		RefreshStatus: func() {
 			e.RunHealthProbes(true)
 		},
@@ -1194,6 +1197,7 @@ func (e *Engine) receiveManagementEvents() {
 			e.config.RosenpassEnabled,
 			e.config.RosenpassPermissive,
 			&e.config.ServerSSHAllowed,
+			&e.config.ServerVNCAllowed,
 			e.config.DisableClientRoutes,
 			e.config.DisableServerRoutes,
 			e.config.DisableDNS,
@@ -1383,6 +1387,11 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		e.updateSSHServerAuth(networkMap.GetSshAuth())
 	}

+	// VNC auth: always sync, including nil so cleared auth on the management
+	// side is applied locally, and so it isn't skipped on the RemotePeersIsEmpty
+	// cleanup path.
+	e.updateVNCServerAuth(networkMap.GetVncAuth())
+
 	// must set the exclude list after the peers are added. Without it the manager can not figure out the peers parameters from the store
 	excludedLazyPeers := e.toExcludedLazyPeers(forwardingRules, remotePeers)
 	e.connMgr.SetExcludeList(e.ctx, excludedLazyPeers)
@@ -1825,18 +1834,6 @@ func (e *Engine) close() {
 	if err := e.portForwardManager.GracefullyStop(ctx); err != nil {
 		log.Warnf("failed to gracefully stop port forwarding manager: %s", err)
 	}
-
-	// Drop any persisted sync response so its network map does not linger on
-	// disk after the engine stops (and cannot leak into a later run).
-	e.syncRespMux.Lock()
-	store := e.syncStore
-	e.syncStore = nil
-	e.syncRespMux.Unlock()
-	if store != nil {
-		if err := store.Clear(); err != nil {
-			log.Warnf("failed to clear persisted sync response on close: %v", err)
-		}
-	}
 }

 func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, bool, error) {
@@ -1850,6 +1847,7 @@ func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, bool, err
 		e.config.RosenpassEnabled,
 		e.config.RosenpassPermissive,
 		&e.config.ServerSSHAllowed,
+		&e.config.ServerVNCAllowed,
 		e.config.DisableClientRoutes,
 		e.config.DisableServerRoutes,
 		e.config.DisableDNS,
@@ -1991,29 +1989,6 @@ func (e *Engine) GetClientMetrics() *metrics.ClientMetrics {
 	return e.clientMetrics
 }

-// Performance bundles runtime-adjustable tunnel pool knobs.
-// See Engine.SetPerformance. Nil fields are ignored.
-type Performance struct {
-	PreallocatedBuffersPerPool *uint32
-}
-
-// SetPerformance applies the given tuning to this engine's live Device.
-func (e *Engine) SetPerformance(t Performance) error {
-	e.syncMsgMux.Lock()
-	defer e.syncMsgMux.Unlock()
-	if e.wgInterface == nil {
-		return fmt.Errorf("wg interface not initialized")
-	}
-	dev := e.wgInterface.GetWGDevice()
-	if dev == nil {
-		return fmt.Errorf("wg device not initialized")
-	}
-	if t.PreallocatedBuffersPerPool != nil {
-		dev.SetPreallocatedBuffersPerPool(*t.PreallocatedBuffersPerPool)
-	}
-	return nil
-}
-
 func findIPFromInterfaceName(ifaceName string) (net.IP, error) {
 	iface, err := net.InterfaceByName(ifaceName)
 	if err != nil {
@@ -2166,42 +2141,45 @@ func (e *Engine) stopDNSServer() {
 	e.statusRecorder.UpdateDNSStates(nsGroupStates)
 }

-// SetSyncResponsePersistence enables or disables sync response persistence.
-// The store is only instantiated while persistence is enabled; construction
-// itself drops any stale data left over from an earlier run (see syncstore).
+// SetSyncResponsePersistence enables or disables sync response persistence
 func (e *Engine) SetSyncResponsePersistence(enabled bool) {
 	e.syncRespMux.Lock()
 	defer e.syncRespMux.Unlock()

-	if enabled == (e.syncStore != nil) {
+	if enabled == e.persistSyncResponse {
 		return
 	}
+	e.persistSyncResponse = enabled
 	log.Debugf("Sync response persistence is set to %t", enabled)

 	if !enabled {
-		if err := e.syncStore.Clear(); err != nil {
-			log.Warnf("failed to clear persisted sync response: %v", err)
-		}
-		e.syncStore = nil
-		return
+		e.latestSyncResponse = nil
 	}
-
-	e.syncStore = syncstore.New(e.syncStoreDir)
 }

 // GetLatestSyncResponse returns the stored sync response if persistence is enabled
 func (e *Engine) GetLatestSyncResponse() (*mgmProto.SyncResponse, error) {
-	// Hold the lock for the whole Get so the store cannot be cleared
-	// (disabled / engine close) mid-call.
 	e.syncRespMux.RLock()
-	defer e.syncRespMux.RUnlock()
+	enabled := e.persistSyncResponse
+	latest := e.latestSyncResponse
+	e.syncRespMux.RUnlock()

-	if e.syncStore == nil {
+	if !enabled {
 		return nil, errors.New("sync response persistence is disabled")
 	}

-	//nolint:nilnil
-	return e.syncStore.Get()
+	if latest == nil {
+		//nolint:nilnil
+		return nil, nil
+	}
+
+	log.Debugf("Retrieving latest sync response with size %d bytes", proto.Size(latest))
+	sr, ok := proto.Clone(latest).(*mgmProto.SyncResponse)
+	if !ok {
+		return nil, fmt.Errorf("failed to clone sync response")
+	}
+
+	return sr, nil
 }

 // GetWgAddr returns the wireguard address
@@ -2237,7 +2215,7 @@ func (e *Engine) updateDNSForwarder(
 	enabled bool,
 	fwdEntries []*dnsfwd.ForwarderEntry,
 ) {
-	if e.config.DisableServerRoutes || e.config.BlockInbound {
+	if e.config.DisableServerRoutes {
 		return
 	}

@@ -2634,3 +2612,16 @@ func decodeRelayIP(b []byte) netip.Addr {
 	}
 	return ip.Unmap()
 }
+
+// RespondApproval relays the user's decision for a pending approval to
+// the broker. viewOnly is honoured only when accept is true. Returns
+// true when the request_id matched a live prompt.
+func (e *Engine) RespondApproval(requestID string, accept, viewOnly bool) bool {
+	if e == nil || e.approvalBroker == nil {
+		return false
+	}
+	return e.approvalBroker.Respond(requestID, approval.Decision{
+		Accept:   accept,
+		ViewOnly: accept && viewOnly,
+	})
+}
--- a/client/internal/engine_ssh.go
+++ b/client/internal/engine_ssh.go
@@ -12,7 +12,7 @@ import (
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
-	sshauth "github.com/netbirdio/netbird/client/ssh/auth"
+	sshauth "github.com/netbirdio/netbird/shared/sessionauth"
 	sshconfig "github.com/netbirdio/netbird/client/ssh/config"
 	sshserver "github.com/netbirdio/netbird/client/ssh/server"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
@@ -237,22 +237,18 @@ func (e *Engine) startSSHServer(jwtConfig *sshserver.JWTConfig) error {
 		return errors.New("wg interface not initialized")
 	}

+	wgAddr := e.wgInterface.Address()
 	serverConfig := &sshserver.Config{
-		HostKeyPEM: e.config.SSHKey,
-		JWT:        jwtConfig,
+		HostKeyPEM:        e.config.SSHKey,
+		JWT:               jwtConfig,
+		NetstackNet:       e.wgInterface.GetNet(),
+		NetworkValidation: wgAddr,
 	}
 	server := sshserver.New(serverConfig)

-	wgAddr := e.wgInterface.Address()
-	server.SetNetworkValidation(wgAddr)
-
 	netbirdIP := wgAddr.IP
 	listenAddr := netip.AddrPortFrom(netbirdIP, sshserver.InternalSSHPort)

-	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
-		server.SetNetstackNet(netstackNet)
-	}
-
 	e.configureSSHServer(server)

 	if err := server.Start(e.ctx, listenAddr); err != nil {
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -27,7 +27,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/management/server/job"

-	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"
+	"github.com/netbirdio/management-integrations/integrations"

 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
@@ -66,8 +66,8 @@ import (
 	"github.com/netbirdio/netbird/route"
 	mgmt "github.com/netbirdio/netbird/shared/management/client"
 	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
-	"github.com/netbirdio/netbird/shared/netiputil"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
+	"github.com/netbirdio/netbird/shared/netiputil"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	"github.com/netbirdio/netbird/shared/signal/proto"
 	signalServer "github.com/netbirdio/netbird/signal/server"
@@ -1641,7 +1641,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 		return nil, "", err
 	}

-	ia, _ := validator.NewIntegratedValidator(context.Background(), peersManager, nil, eventStore, cacheStore)
+	ia, _ := integrations.NewIntegratedValidator(context.Background(), peersManager, nil, eventStore, cacheStore)

 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
--- a/client/internal/engine_vnc.go
+++ b/client/internal/engine_vnc.go
@@ -0,0 +1,303 @@
+//go:build !js && !ios && !android
+
+package internal
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/netip"
+
+	log "github.com/sirupsen/logrus"
+
+	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/internal/approval"
+	"github.com/netbirdio/netbird/client/internal/metrics"
+	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/vnc"
+	vncserver "github.com/netbirdio/netbird/client/vnc/server"
+	sshauth "github.com/netbirdio/netbird/shared/sessionauth"
+	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	sshuserhash "github.com/netbirdio/netbird/shared/sshauth"
+)
+
+
+type vncServer interface {
+	Start(ctx context.Context, addr netip.AddrPort, network netip.Prefix) error
+	Stop() error
+	ActiveSessions() []vncserver.ActiveSessionInfo
+}
+
+func (e *Engine) setupVNCPortRedirection() error {
+	if e.firewall == nil || e.wgInterface == nil {
+		return nil
+	}
+
+	localAddr := e.wgInterface.Address().IP
+	if !localAddr.IsValid() {
+		return errors.New("invalid local NetBird address")
+	}
+
+	if err := e.firewall.AddInboundDNAT(localAddr, firewallManager.ProtocolTCP, vnc.ExternalPort, vnc.InternalPort); err != nil {
+		return fmt.Errorf("add VNC port redirection: %w", err)
+	}
+	log.Infof("VNC port redirection: %s:%d -> %s:%d", localAddr, vnc.ExternalPort, localAddr, vnc.InternalPort)
+
+	return nil
+}
+
+func (e *Engine) cleanupVNCPortRedirection() error {
+	if e.firewall == nil || e.wgInterface == nil {
+		return nil
+	}
+
+	localAddr := e.wgInterface.Address().IP
+	if !localAddr.IsValid() {
+		return errors.New("invalid local NetBird address")
+	}
+
+	if err := e.firewall.RemoveInboundDNAT(localAddr, firewallManager.ProtocolTCP, vnc.ExternalPort, vnc.InternalPort); err != nil {
+		return fmt.Errorf("remove VNC port redirection: %w", err)
+	}
+
+	return nil
+}
+
+// updateVNC handles starting/stopping the VNC server based on the config flag.
+func (e *Engine) updateVNC() error {
+	if !e.config.ServerVNCAllowed {
+		if e.vncSrv != nil {
+			log.Info("VNC server disabled, stopping")
+		}
+		return e.stopVNCServer()
+	}
+
+	if e.config.BlockInbound {
+		log.Info("VNC server disabled because inbound connections are blocked")
+		return e.stopVNCServer()
+	}
+
+	if e.vncSrv != nil {
+		return nil
+	}
+
+	return e.startVNCServer()
+}
+
+func (e *Engine) startVNCServer() error {
+	if e.wgInterface == nil {
+		return errors.New("wg interface not initialized")
+	}
+
+	capturer, injector, ok := newPlatformVNC()
+	if !ok {
+		log.Debug("VNC server not supported on this platform")
+		return nil
+	}
+
+	netbirdIP := e.wgInterface.Address().IP
+
+	var sessionRecorder func(vncserver.SessionTick)
+	if e.clientMetrics != nil {
+		sessionRecorder = func(t vncserver.SessionTick) {
+			e.clientMetrics.RecordVNCSessionTick(e.ctx, metrics.VNCSessionTick{
+				Period:        t.Period,
+				BytesOut:      t.BytesOut,
+				Writes:        t.Writes,
+				FBUs:          t.FBUs,
+				MaxFBUBytes:   t.MaxFBUBytes,
+				MaxFBURects:   t.MaxFBURects,
+				MaxWriteBytes: t.MaxWriteBytes,
+				WriteNanos:    t.WriteNanos,
+			})
+		}
+	}
+	serviceMode := vncNeedsServiceMode()
+	if serviceMode {
+		log.Info("VNC: running as system service, enabling service mode (per-session agent proxy)")
+	}
+	requireApproval := e.config.DisableVNCApproval == nil || !*e.config.DisableVNCApproval
+	srv := vncserver.New(vncserver.Config{
+		Capturer:        capturer,
+		Injector:        injector,
+		IdentityKey:     e.config.WgPrivateKey[:],
+		ServiceMode:     serviceMode,
+		SessionRecorder: sessionRecorder,
+		NetstackNet:     e.wgInterface.GetNet(),
+		RequireApproval: requireApproval,
+		Approver:        &vncApprover{broker: e.approvalBroker, statusRecorder: e.statusRecorder},
+	})
+
+	listenAddr := netip.AddrPortFrom(netbirdIP, vnc.InternalPort)
+	network := e.wgInterface.Address().Network
+	if err := srv.Start(e.ctx, listenAddr, network); err != nil {
+		return fmt.Errorf("start VNC server: %w", err)
+	}
+
+	e.vncSrv = srv
+
+	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
+		if registrar, ok := e.firewall.(interface {
+			RegisterNetstackService(protocol nftypes.Protocol, port uint16)
+		}); ok {
+			registrar.RegisterNetstackService(nftypes.TCP, vnc.InternalPort)
+			log.Debugf("registered VNC service with netstack for TCP:%d", vnc.InternalPort)
+		}
+	}
+
+	if err := e.setupVNCPortRedirection(); err != nil {
+		log.Warnf("setup VNC port redirection: %v", err)
+	}
+
+	log.Info("VNC server enabled")
+	return nil
+}
+
+// updateVNCServerAuth updates VNC fine-grained access control from management.
+// A nil vncAuth clears all authorized users and session pubkeys so management
+// can revoke access by omitting the field on the next sync.
+func (e *Engine) updateVNCServerAuth(vncAuth *mgmProto.VNCAuth) {
+	if e.vncSrv == nil {
+		return
+	}
+
+	vncSrv, ok := e.vncSrv.(*vncserver.Server)
+	if !ok {
+		return
+	}
+
+	if vncAuth == nil {
+		vncSrv.UpdateVNCAuth(&sshauth.Config{})
+		return
+	}
+
+	protoUsers := vncAuth.GetAuthorizedUsers()
+	authorizedUsers := make([]sshuserhash.UserIDHash, len(protoUsers))
+	for i, hash := range protoUsers {
+		if len(hash) != 16 {
+			log.Warnf("invalid VNC auth hash length %d, expected 16", len(hash))
+			return
+		}
+		authorizedUsers[i] = sshuserhash.UserIDHash(hash)
+	}
+
+	machineUsers := make(map[string][]uint32)
+	for osUser, indexes := range vncAuth.GetMachineUsers() {
+		machineUsers[osUser] = indexes.GetIndexes()
+	}
+
+	sessionPubKeys := make([]sshauth.SessionPubKey, 0, len(vncAuth.GetSessionPubKeys()))
+	for _, e := range vncAuth.GetSessionPubKeys() {
+		pub := e.GetPubKey()
+		if len(pub) != 32 {
+			log.Warnf("VNC session pubkey wrong length %d", len(pub))
+			continue
+		}
+		hash := e.GetUserIdHash()
+		if len(hash) != 16 {
+			log.Warnf("VNC session user id hash wrong length %d", len(hash))
+			continue
+		}
+		sessionPubKeys = append(sessionPubKeys, sshauth.SessionPubKey{
+			PubKey:      pub,
+			UserIDHash:  sshuserhash.UserIDHash(hash),
+			DisplayName: e.GetDisplayName(),
+		})
+	}
+
+	vncSrv.UpdateVNCAuth(&sshauth.Config{
+		AuthorizedUsers: authorizedUsers,
+		MachineUsers:    machineUsers,
+		SessionPubKeys:  sessionPubKeys,
+	})
+}
+
+// GetVNCServerStatus returns whether the VNC server is running and the list
+// of active VNC sessions. The pointer is captured under syncMsgMux so a
+// concurrent updateVNC/stopVNCServer cannot swap it out between the nil
+// check and the ActiveSessions call.
+func (e *Engine) GetVNCServerStatus() (enabled bool, sessions []vncserver.ActiveSessionInfo) {
+	e.syncMsgMux.Lock()
+	vncSrv := e.vncSrv
+	e.syncMsgMux.Unlock()
+	if vncSrv == nil {
+		return false, nil
+	}
+	return true, vncSrv.ActiveSessions()
+}
+
+func (e *Engine) stopVNCServer() error {
+	if e.vncSrv == nil {
+		return nil
+	}
+
+	if err := e.cleanupVNCPortRedirection(); err != nil {
+		log.Warnf("cleanup VNC port redirection: %v", err)
+	}
+
+	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
+		if registrar, ok := e.firewall.(interface {
+			UnregisterNetstackService(protocol nftypes.Protocol, port uint16)
+		}); ok {
+			registrar.UnregisterNetstackService(nftypes.TCP, vnc.InternalPort)
+		}
+	}
+
+	log.Info("stopping VNC server")
+	err := e.vncSrv.Stop()
+	e.vncSrv = nil
+	if err != nil {
+		return fmt.Errorf("stop VNC server: %w", err)
+	}
+	return nil
+}
+
+// vncApprover adapts the generic approval.Broker for the VNC server.
+type vncApprover struct {
+	broker         *approval.Broker
+	statusRecorder *peer.Status
+}
+
+func (a *vncApprover) Request(ctx context.Context, info vncserver.ApprovalInfo) (vncserver.ApprovalDecision, error) {
+	// Resolve the source overlay IP to a peer FQDN for the prompt label.
+	if info.PeerName == "" && info.SourceIP != "" && a.statusRecorder != nil {
+		if fqdn, ok := a.statusRecorder.PeerByIP(info.SourceIP); ok {
+			info.PeerName = fqdn
+		}
+	}
+	subject := fmt.Sprintf("VNC connection from %s", displayPeer(info))
+	meta := map[string]string{
+		"peer_name":   info.PeerName,
+		"peer_pubkey": info.PeerPubKey,
+		"source_ip":   info.SourceIP,
+		"mode":        info.Mode,
+		"username":    info.Username,
+		"initiator":   info.Initiator,
+	}
+	d, err := a.broker.Request(ctx, approval.Prompt{
+		Kind:     approval.KindVNC,
+		Subject:  subject,
+		Metadata: meta,
+	})
+	if err != nil {
+		return vncserver.ApprovalDecision{}, err
+	}
+	return vncserver.ApprovalDecision{ViewOnly: d.ViewOnly}, nil
+}
+
+func displayPeer(info vncserver.ApprovalInfo) string {
+	if info.Initiator != "" {
+		return info.Initiator
+	}
+	if info.PeerName != "" {
+		return info.PeerName
+	}
+	if info.SourceIP != "" {
+		return info.SourceIP
+	}
+	if info.PeerPubKey != "" {
+		return info.PeerPubKey
+	}
+	return "unknown peer"
+}
--- a/client/internal/engine_vnc_console_freebsd.go
+++ b/client/internal/engine_vnc_console_freebsd.go
@@ -0,0 +1,31 @@
+//go:build freebsd
+
+package internal
+
+import (
+	"fmt"
+
+	log "github.com/sirupsen/logrus"
+
+	vncserver "github.com/netbirdio/netbird/client/vnc/server"
+)
+
+// newConsoleVNC builds the FreeBSD console fallback: vt(4) framebuffer
+// for capture, /dev/uinput for input. The uinput device requires the
+// `uinput` kernel module (`kldload uinput`); without it, input init
+// fails and we drop to a stub injector so the user still gets a
+// view-only screen mirror.
+func newConsoleVNC() (vncserver.ScreenCapturer, vncserver.InputInjector, error) {
+	poller := vncserver.NewFBPoller("")
+	w, h := poller.Width(), poller.Height()
+	if w == 0 || h == 0 {
+		poller.Close()
+		return nil, nil, fmt.Errorf("vt framebuffer init failed (vt may not allow mmap on this driver)")
+	}
+	if inj, err := vncserver.NewUInputInjector(w, h); err == nil {
+		return poller, inj, nil
+	} else {
+		log.Infof("VNC console: uinput unavailable (%v); view-only mode. Run `kldload uinput` to enable input.", err)
+		return poller, &vncserver.StubInputInjector{}, nil
+	}
+}
--- a/client/internal/engine_vnc_console_linux.go
+++ b/client/internal/engine_vnc_console_linux.go
@@ -0,0 +1,30 @@
+//go:build linux && !android
+
+package internal
+
+import (
+	"fmt"
+
+	log "github.com/sirupsen/logrus"
+
+	vncserver "github.com/netbirdio/netbird/client/vnc/server"
+)
+
+// newConsoleVNC builds a framebuffer + uinput VNC backend for boxes
+// without a running X server. Used as the auto-fallback when
+// newPlatformVNC can't reach X. Returns an error when /dev/fb0 or
+// /dev/uinput aren't usable so the caller can drop back to a stub.
+func newConsoleVNC() (vncserver.ScreenCapturer, vncserver.InputInjector, error) {
+	poller := vncserver.NewFBPoller("")
+	w, h := poller.Width(), poller.Height()
+	if w == 0 || h == 0 {
+		poller.Close()
+		return nil, nil, fmt.Errorf("framebuffer capturer init failed (is /dev/fb0 readable?)")
+	}
+	inj, err := vncserver.NewUInputInjector(w, h)
+	if err != nil {
+		log.Debugf("uinput unavailable, falling back to view-only VNC: %v", err)
+		return poller, &vncserver.StubInputInjector{}, nil
+	}
+	return poller, inj, nil
+}
--- a/client/internal/engine_vnc_darwin.go
+++ b/client/internal/engine_vnc_darwin.go
@@ -0,0 +1,34 @@
+//go:build darwin && !ios
+
+package internal
+
+import (
+	"os"
+
+	log "github.com/sirupsen/logrus"
+
+	vncserver "github.com/netbirdio/netbird/client/vnc/server"
+)
+
+func newPlatformVNC() (vncserver.ScreenCapturer, vncserver.InputInjector, bool) {
+	capturer := vncserver.NewMacPoller()
+	// Prompt for Screen Recording at server-enable time rather than first
+	// client-connect. The native prompt is far easier for users to act on
+	// in the moment they toggled VNC on than later when "the screen looks
+	// like wallpaper" would otherwise be the only clue.
+	vncserver.PrimeScreenCapturePermission()
+	injector, err := vncserver.NewMacInputInjector()
+	if err != nil {
+		log.Debugf("VNC: macOS input injector: %v", err)
+		return capturer, &vncserver.StubInputInjector{}, true
+	}
+	return capturer, injector, true
+}
+
+// vncNeedsServiceMode reports whether the running process is a system
+// LaunchDaemon (root, parented by launchd). Daemons sit in the global
+// bootstrap namespace and cannot talk to WindowServer; we route capture
+// through a per-user agent in that case.
+func vncNeedsServiceMode() bool {
+	return os.Geteuid() == 0 && os.Getppid() == 1
+}
--- a/client/internal/engine_vnc_stub.go
+++ b/client/internal/engine_vnc_stub.go
@@ -0,0 +1,23 @@
+//go:build js || ios || android
+
+package internal
+
+import (
+	log "github.com/sirupsen/logrus"
+
+	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+)
+
+type vncServer interface{}
+
+func (e *Engine) updateVNC() error { return nil }
+
+func (e *Engine) updateVNCServerAuth(auth *mgmProto.VNCAuth) {
+	if auth == nil {
+		return
+	}
+	log.Debugf("ignoring VNC auth push on platform without a VNC server: %d session pubkeys, %d authorized users",
+		len(auth.GetSessionPubKeys()), len(auth.GetAuthorizedUsers()))
+}
+
+func (e *Engine) stopVNCServer() error { return nil }
--- a/client/internal/engine_vnc_windows.go
+++ b/client/internal/engine_vnc_windows.go
@@ -0,0 +1,13 @@
+//go:build windows
+
+package internal
+
+import vncserver "github.com/netbirdio/netbird/client/vnc/server"
+
+func newPlatformVNC() (vncserver.ScreenCapturer, vncserver.InputInjector, bool) {
+	return vncserver.NewDesktopCapturer(), vncserver.NewWindowsInputInjector(), true
+}
+
+func vncNeedsServiceMode() bool {
+	return vncserver.GetCurrentSessionID() == 0
+}
--- a/client/internal/engine_vnc_x11.go
+++ b/client/internal/engine_vnc_x11.go
@@ -0,0 +1,35 @@
+//go:build (linux && !android) || freebsd
+
+package internal
+
+import (
+	log "github.com/sirupsen/logrus"
+
+	vncserver "github.com/netbirdio/netbird/client/vnc/server"
+)
+
+func newPlatformVNC() (vncserver.ScreenCapturer, vncserver.InputInjector, bool) {
+	// Prefer X11 when an X server is reachable. NewX11InputInjector probes
+	// DISPLAY (and /proc) eagerly, so a non-nil error here means no X.
+	injector, err := vncserver.NewX11InputInjector("", "", "")
+	if err == nil {
+		return vncserver.NewX11Poller("", ""), injector, true
+	}
+	log.Debugf("VNC: X11 not available: %v", err)
+
+	// Fallback for headless / pre-X states (kernel console, login manager
+	// without X, physical server in recovery): stream the framebuffer and
+	// inject input via /dev/uinput.
+	consoleCap, consoleInj, err := newConsoleVNC()
+	if err == nil {
+		log.Infof("VNC: using framebuffer console capture (%dx%d)", consoleCap.Width(), consoleCap.Height())
+		return consoleCap, consoleInj, true
+	}
+	log.Debugf("VNC: framebuffer console fallback unavailable: %v", err)
+
+	return &vncserver.StubCapturer{}, &vncserver.StubInputInjector{}, false
+}
+
+func vncNeedsServiceMode() bool {
+	return false
+}
--- a/client/internal/lazyconn/support.go
+++ b/client/internal/lazyconn/support.go
@@ -4,8 +4,6 @@ import (
 	"strings"

 	"github.com/hashicorp/go-version"
-
-	nbversion "github.com/netbirdio/netbird/version"
 )

 var (
@@ -13,7 +11,7 @@ var (
 )

 func IsSupported(agentVersion string) bool {
-	if nbversion.IsDevelopmentVersion(agentVersion) {
+	if agentVersion == "development" {
 		return true
 	}

--- a/client/internal/metrics/influxdb.go
+++ b/client/internal/metrics/influxdb.go
@@ -120,6 +120,36 @@ func (m *influxDBMetrics) RecordSyncDuration(_ context.Context, agentInfo AgentI
 	m.trimLocked()
 }

+func (m *influxDBMetrics) RecordVNCSessionTick(_ context.Context, agentInfo AgentInfo, tick VNCSessionTick) {
+	tags := fmt.Sprintf("deployment_type=%s,version=%s,os=%s,arch=%s,peer_id=%s",
+		agentInfo.DeploymentType.String(),
+		agentInfo.Version,
+		agentInfo.OS,
+		agentInfo.Arch,
+		agentInfo.peerID,
+	)
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	m.samples = append(m.samples, influxSample{
+		measurement: "netbird_vnc_traffic",
+		tags:        tags,
+		fields: map[string]float64{
+			"period_seconds":     tick.Period.Seconds(),
+			"bytes_out":          float64(tick.BytesOut),
+			"writes":             float64(tick.Writes),
+			"fbus":               float64(tick.FBUs),
+			"max_fbu_bytes":      float64(tick.MaxFBUBytes),
+			"max_fbu_rects":      float64(tick.MaxFBURects),
+			"max_write_bytes":    float64(tick.MaxWriteBytes),
+			"write_time_seconds": float64(tick.WriteNanos) / 1e9,
+		},
+		timestamp: time.Now(),
+	})
+	m.trimLocked()
+}
+
 func (m *influxDBMetrics) RecordLoginDuration(_ context.Context, agentInfo AgentInfo, duration time.Duration, success bool) {
 	result := "success"
 	if !success {
--- a/client/internal/metrics/metrics.go
+++ b/client/internal/metrics/metrics.go
@@ -59,6 +59,11 @@ type metricsImplementation interface {
 	// RecordLoginDuration records how long the login to management took
 	RecordLoginDuration(ctx context.Context, agentInfo AgentInfo, duration time.Duration, success bool)

+	// RecordVNCSessionTick records a periodic snapshot of one VNC
+	// session's wire activity. Called once per metricsConn tick interval
+	// (and once at session close), only when the tick saw activity.
+	RecordVNCSessionTick(ctx context.Context, agentInfo AgentInfo, tick VNCSessionTick)
+
 	// Export exports metrics in InfluxDB line protocol format
 	Export(w io.Writer) error

@@ -78,6 +83,21 @@ type ClientMetrics struct {
 	pushCancel context.CancelFunc
 }

+// VNCSessionTick is one sampling slice of a VNC session's wire activity.
+// BytesOut / Writes / FBUs / WriteNanos are deltas observed during this
+// tick; Max* fields are the high-water marks observed during the tick.
+// Period is the wall-clock duration the deltas cover.
+type VNCSessionTick struct {
+	Period        time.Duration
+	BytesOut      uint64
+	Writes        uint64
+	FBUs          uint64
+	MaxFBUBytes   uint64
+	MaxFBURects   uint64
+	MaxWriteBytes uint64
+	WriteNanos    uint64
+}
+
 // ConnectionStageTimestamps holds timestamps for each connection stage
 type ConnectionStageTimestamps struct {
 	SignalingReceived  time.Time // First signal received from remote peer (both initial and reconnection)
@@ -127,6 +147,17 @@ func (c *ClientMetrics) RecordSyncDuration(ctx context.Context, duration time.Du
 	c.impl.RecordSyncDuration(ctx, agentInfo, duration)
 }

+// RecordVNCSessionTick records a periodic snapshot of one VNC session.
+func (c *ClientMetrics) RecordVNCSessionTick(ctx context.Context, tick VNCSessionTick) {
+	if c == nil {
+		return
+	}
+	c.mu.RLock()
+	agentInfo := c.agentInfo
+	c.mu.RUnlock()
+	c.impl.RecordVNCSessionTick(ctx, agentInfo, tick)
+}
+
 // RecordLoginDuration records how long the login to management server took
 func (c *ClientMetrics) RecordLoginDuration(ctx context.Context, duration time.Duration, success bool) {
 	if c == nil {
--- a/client/internal/metrics/push_test.go
+++ b/client/internal/metrics/push_test.go
@@ -73,6 +73,9 @@ func (m *mockMetrics) RecordSyncDuration(_ context.Context, _ AgentInfo, _ time.
 func (m *mockMetrics) RecordLoginDuration(_ context.Context, _ AgentInfo, _ time.Duration, _ bool) {
 }

+func (m *mockMetrics) RecordVNCSessionTick(_ context.Context, _ AgentInfo, _ VNCSessionTick) {
+}
+
 func (m *mockMetrics) Export(w io.Writer) error {
 	if m.exportData != "" {
 		_, err := w.Write([]byte(m.exportData))
--- a/client/internal/networkmonitor/check_change_common.go
+++ b/client/internal/networkmonitor/check_change_common.go
@@ -50,7 +50,7 @@ func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Next
 		switch msg.Type {
 		// handle route changes
 		case unix.RTM_ADD, syscall.RTM_DELETE:
-			route, flags, err := parseRouteMessage(buf[:n])
+			route, err := parseRouteMessage(buf[:n])
 			if err != nil {
 				log.Debugf("Network monitor: error parsing routing message: %v", err)
 				continue
@@ -66,10 +66,6 @@ func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Next
 			}
 			switch msg.Type {
 			case unix.RTM_ADD:
-				if systemops.IgnoreAddedDefaultRoute(flags) {
-					log.Debugf("Network monitor: ignoring added default route via %s, interface %s, flags %#x", route.Gw, intf, flags)
-					continue
-				}
 				log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
 				return nil
 			case unix.RTM_DELETE:
@@ -82,26 +78,22 @@ func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Next
 	}
 }

-func parseRouteMessage(buf []byte) (*systemops.Route, int, error) {
+func parseRouteMessage(buf []byte) (*systemops.Route, error) {
 	msgs, err := route.ParseRIB(route.RIBTypeRoute, buf)
 	if err != nil {
-		return nil, 0, fmt.Errorf("parse RIB: %v", err)
+		return nil, fmt.Errorf("parse RIB: %v", err)
 	}

 	if len(msgs) != 1 {
-		return nil, 0, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
+		return nil, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
 	}

 	msg, ok := msgs[0].(*route.RouteMessage)
 	if !ok {
-		return nil, 0, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
+		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
 	}

-	r, err := systemops.MsgToRoute(msg)
-	if err != nil {
-		return nil, 0, err
-	}
-	return r, msg.Flags, nil
+	return systemops.MsgToRoute(msg)
 }

 // waitReadable blocks until fd has data to read, or ctx is cancelled.
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -23,7 +23,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer/id"
 	"github.com/netbirdio/netbird/client/internal/peer/worker"
 	"github.com/netbirdio/netbird/client/internal/portforward"
-	"github.com/netbirdio/netbird/client/internal/rosenpass"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/route"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
@@ -900,7 +899,7 @@ func (conn *Conn) presharedKey(remoteRosenpassKey []byte) *wgtypes.Key {
 	}

 	// Fallback to deterministic key if no NetBird PSK is configured
-	determKey, err := rosenpass.DeterministicSeedKey(conn.config.LocalKey, conn.config.Key)
+	determKey, err := conn.rosenpassDetermKey()
 	if err != nil {
 		conn.Log.Errorf("failed to generate Rosenpass initial key: %v", err)
 		return nil
@@ -909,6 +908,26 @@ func (conn *Conn) presharedKey(remoteRosenpassKey []byte) *wgtypes.Key {
 	return determKey
 }

+// todo: move this logic into Rosenpass package
+func (conn *Conn) rosenpassDetermKey() (*wgtypes.Key, error) {
+	lk := []byte(conn.config.LocalKey)
+	rk := []byte(conn.config.Key) // remote key
+	var keyInput []byte
+	if string(lk) > string(rk) {
+		//nolint:gocritic
+		keyInput = append(lk[:16], rk[:16]...)
+	} else {
+		//nolint:gocritic
+		keyInput = append(rk[:16], lk[:16]...)
+	}
+
+	key, err := wgtypes.NewKey(keyInput)
+	if err != nil {
+		return nil, err
+	}
+	return &key, nil
+}
+
 func isController(config ConnConfig) bool {
 	return config.LocalKey > config.Key
 }
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -111,7 +111,6 @@ type LocalPeerState struct {
 	PubKey          string
 	KernelInterface bool
 	FQDN            string
-	WgPort          int
 	Routes          map[string]struct{}
 }

@@ -186,12 +185,9 @@ func (s *StatusChangeSubscription) Events() chan map[string]RouterState {
 	return s.eventsChan
 }

-// Status holds a state of peers, signal, management connections and relays.
-// mux is an RWMutex so hot read paths (notably PeerStateByIP, called for
-// every private-service request) don't contend against each other.
-// Pure read methods take RLock; anything that mutates state takes Lock.
+// Status holds a state of peers, signal, management connections and relays
 type Status struct {
-	mux                   sync.RWMutex
+	mux                   sync.Mutex
 	peers                 map[string]State
 	changeNotify          map[string]map[string]*StatusChangeSubscription // map[peerID]map[subscriptionID]*StatusChangeSubscription
 	signalState           bool
@@ -287,8 +283,8 @@ func (d *Status) AddPeer(peerPubKey string, fqdn string, ip string, ipv6 string)

 // GetPeer adds peer to Daemon status map
 func (d *Status) GetPeer(peerPubKey string) (State, error) {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()

 	state, ok := d.peers[peerPubKey]
 	if !ok {
@@ -298,8 +294,8 @@ func (d *Status) GetPeer(peerPubKey string) (State, error) {
 }

 func (d *Status) PeerByIP(ip string) (string, bool) {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()

 	for _, state := range d.peers {
 		if state.IP == ip {
@@ -309,34 +305,6 @@ func (d *Status) PeerByIP(ip string) (string, bool) {
 	return "", false
 }

-// PeerStateByIP returns the full peer State for the given tunnel IP.
-// Matches against either the IPv4 (State.IP) or IPv6 (State.IPv6) tunnel
-// address so dual-stack peers are reachable on either family. Searches
-// both d.peers and d.offlinePeers — peers that have been moved into
-// the offline slice by ReplaceOfflinePeers are still part of the
-// account's roster and callers (DNS filter, embed.Client.IdentityForIP)
-// need to recognise them rather than treating them as unknown. Returns
-// the zero State and false when no peer matches or the input is empty.
-func (d *Status) PeerStateByIP(ip string) (State, bool) {
-	if ip == "" {
-		return State{}, false
-	}
-	d.mux.RLock()
-	defer d.mux.RUnlock()
-
-	for _, state := range d.peers {
-		if (state.IP != "" && state.IP == ip) || (state.IPv6 != "" && state.IPv6 == ip) {
-			return state, true
-		}
-	}
-	for _, state := range d.offlinePeers {
-		if (state.IP != "" && state.IP == ip) || (state.IPv6 != "" && state.IPv6 == ip) {
-			return state, true
-		}
-	}
-	return State{}, false
-}
-
 // RemovePeer removes peer from Daemon status map
 func (d *Status) RemovePeer(peerPubKey string) error {
 	d.mux.Lock()
@@ -734,8 +702,8 @@ func (d *Status) UnsubscribePeerStateChanges(subscription *StatusChangeSubscript

 // GetLocalPeerState returns the local peer state
 func (d *Status) GetLocalPeerState() LocalPeerState {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return d.localPeer.Clone()
 }

@@ -941,8 +909,8 @@ func (d *Status) DeleteResolvedDomainsStates(domain domain.Domain) {
 }

 func (d *Status) GetRosenpassState() RosenpassState {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return RosenpassState{
 		d.rosenpassEnabled,
 		d.rosenpassPermissive,
@@ -950,14 +918,14 @@ func (d *Status) GetRosenpassState() RosenpassState {
 }

 func (d *Status) GetLazyConnection() bool {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return d.lazyConnectionEnabled
 }

 func (d *Status) GetManagementState() ManagementState {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return ManagementState{
 		d.mgmAddress,
 		d.managementState,
@@ -983,8 +951,8 @@ func (d *Status) UpdateLatency(pubKey string, latency time.Duration) error {

 // IsLoginRequired determines if a peer's login has expired.
 func (d *Status) IsLoginRequired() bool {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()

 	// if peer is connected to the management then login is not expired
 	if d.managementState {
@@ -999,8 +967,8 @@ func (d *Status) IsLoginRequired() bool {
 }

 func (d *Status) GetSignalState() SignalState {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return SignalState{
 		d.signalAddress,
 		d.signalState,
@@ -1010,8 +978,8 @@ func (d *Status) GetSignalState() SignalState {

 // GetRelayStates returns the stun/turn/permanent relay states
 func (d *Status) GetRelayStates() []relay.ProbeResult {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	if d.relayMgr == nil {
 		return d.relayStates
 	}
@@ -1040,8 +1008,8 @@ func (d *Status) GetRelayStates() []relay.ProbeResult {
 }

 func (d *Status) ForwardingRules() []firewall.ForwardRule {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	if d.ingressGwMgr == nil {
 		return nil
 	}
@@ -1050,16 +1018,16 @@ func (d *Status) ForwardingRules() []firewall.ForwardRule {
 }

 func (d *Status) GetDNSStates() []NSGroupState {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()

 	// shallow copy is good enough, as slices fields are currently not updated
 	return slices.Clone(d.nsGroupStates)
 }

 func (d *Status) GetResolvedDomainsStates() map[domain.Domain]ResolvedDomainInfo {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	return maps.Clone(d.resolvedDomainsStates)
 }

@@ -1075,8 +1043,8 @@ func (d *Status) GetFullStatus() FullStatus {
 		LazyConnectionEnabled: d.GetLazyConnection(),
 	}

-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()

 	fullStatus.LocalPeerState = d.localPeer

@@ -1223,6 +1191,15 @@ func (d *Status) SubscribeToEvents() *EventSubscription {
 	}
 }

+// HasEventSubscribers reports whether any client is currently subscribed
+// to the daemon's SystemEvent stream. Used by the VNC approval broker to
+// fail closed when no UI is connected to prompt the user.
+func (d *Status) HasEventSubscribers() bool {
+	d.eventMux.Lock()
+	defer d.eventMux.Unlock()
+	return len(d.eventStreams) > 0
+}
+
 // UnsubscribeFromEvents removes an event subscription
 func (d *Status) UnsubscribeFromEvents(sub *EventSubscription) {
 	if sub == nil {
@@ -1251,8 +1228,8 @@ func (d *Status) SetWgIface(wgInterface WGIfaceStatus) {
 }

 func (d *Status) PeersStatus() (*configurer.Stats, error) {
-	d.mux.RLock()
-	defer d.mux.RUnlock()
+	d.mux.Lock()
+	defer d.mux.Unlock()
 	if d.wgIface == nil {
 		return nil, fmt.Errorf("wgInterface is nil, cannot retrieve peers status")
 	}
@@ -1358,7 +1335,6 @@ func (fs FullStatus) ToProto() *proto.FullStatus {
 	pbFullStatus.LocalPeerState.PubKey = fs.LocalPeerState.PubKey
 	pbFullStatus.LocalPeerState.KernelInterface = fs.LocalPeerState.KernelInterface
 	pbFullStatus.LocalPeerState.Fqdn = fs.LocalPeerState.FQDN
-	pbFullStatus.LocalPeerState.WgPort = int32(fs.LocalPeerState.WgPort)
 	pbFullStatus.LocalPeerState.RosenpassPermissive = fs.RosenpassState.Permissive
 	pbFullStatus.LocalPeerState.RosenpassEnabled = fs.RosenpassState.Enabled
 	pbFullStatus.NumberOfForwardingRules = int32(fs.NumOfForwardingRules)
--- a/client/internal/peer/status_test.go
+++ b/client/internal/peer/status_test.go
@@ -63,55 +63,6 @@ func TestUpdatePeerState(t *testing.T) {
 	assert.Equal(t, ip, state.IP, "ip should be equal")
 }

-func TestStatus_PeerStateByIP(t *testing.T) {
-	status := NewRecorder("https://mgm")
-	req := require.New(t)
-
-	req.NoError(status.AddPeer("pk-1", "peer-1.netbird", "100.64.0.10", ""))
-	req.NoError(status.AddPeer("pk-2", "peer-2.netbird", "100.64.0.11", ""))
-
-	state, ok := status.PeerStateByIP("100.64.0.10")
-	req.True(ok, "known tunnel IP should resolve to a peer state")
-	req.Equal("pk-1", state.PubKey, "matching state must carry the right pub key")
-	req.Equal("peer-1.netbird", state.FQDN, "matching state must carry the right FQDN")
-
-	_, ok = status.PeerStateByIP("100.64.0.99")
-	req.False(ok, "unknown IP must report ok=false")
-}
-
-func TestStatus_PeerStateByIP_MatchesIPv6(t *testing.T) {
-	status := NewRecorder("https://mgm")
-	req := require.New(t)
-
-	req.NoError(status.AddPeer("pk-1", "peer-1.netbird", "100.64.0.10", "fd00::1"))
-
-	state, ok := status.PeerStateByIP("fd00::1")
-	req.True(ok, "IPv6-only match must resolve to the peer state")
-	req.Equal("pk-1", state.PubKey, "matching state must carry the right pub key")
-}
-
-// TestStatus_PeerStateByIP_MatchesOfflinePeers covers peers that have
-// been moved into the offline slice via ReplaceOfflinePeers. Callers
-// (DNS filter, embed.Client.IdentityForIP) need to treat them as known
-// rather than unknown — otherwise authentication / DNS filtering treats
-// known-but-offline peers as foreign IPs.
-func TestStatus_PeerStateByIP_MatchesOfflinePeers(t *testing.T) {
-	status := NewRecorder("https://mgm")
-	req := require.New(t)
-
-	status.ReplaceOfflinePeers([]State{
-		{PubKey: "pk-offline", FQDN: "offline.netbird", IP: "100.64.0.20", IPv6: "fd00::20"},
-	})
-
-	state, ok := status.PeerStateByIP("100.64.0.20")
-	req.True(ok, "offline peer must resolve by IPv4 tunnel address")
-	req.Equal("pk-offline", state.PubKey, "matching state must carry the offline peer's pub key")
-
-	state, ok = status.PeerStateByIP("fd00::20")
-	req.True(ok, "offline peer must resolve by IPv6 tunnel address")
-	req.Equal("pk-offline", state.PubKey, "IPv6 match must carry the offline peer's pub key")
-}
-
 func TestStatus_UpdatePeerFQDN(t *testing.T) {
 	key := "abc"
 	fqdn := "peer-a.netbird.local"
--- a/client/internal/portforward/pcp/nat.go
+++ b/client/internal/portforward/pcp/nat.go
@@ -179,10 +179,8 @@ func getDefaultGateway() (gateway net.IP, localIP net.IP, err error) {
 	}

 	dst := net.IPv4zero
-	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
-		// go-netroute v0.4.0 rejects unspecified destinations client-side on Linux/Android.
-		// TODO: on android/ios, use platform APIs (ConnectivityManager.getLinkProperties /
-		// NWPathMonitor) when netlink-based lookup is restricted or unavailable.
+	if runtime.GOOS == "linux" {
+		// go-netroute v0.4.0 rejects unspecified destinations client-side on Linux.
 		dst = net.IPv4(0, 0, 0, 1)
 	}
 	_, gateway, localIP, err = router.Route(dst)
@@ -205,7 +203,7 @@ func getDefaultGateway6() (gateway net.IP, localIP net.IP, err error) {
 	}

 	dst := net.IPv6zero
-	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
+	if runtime.GOOS == "linux" {
 		// ::2
 		dst = net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2}
 	}
--- a/client/internal/profilemanager/config.go
+++ b/client/internal/profilemanager/config.go
@@ -22,7 +22,6 @@ import (

 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
-	"github.com/netbirdio/netbird/client/mdm"
 	"github.com/netbirdio/netbird/client/ssh"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
 	"github.com/netbirdio/netbird/shared/management/domain"
@@ -66,6 +65,8 @@ type ConfigInput struct {
 	StateFilePath                 string
 	PreSharedKey                  *string
 	ServerSSHAllowed              *bool
+	ServerVNCAllowed              *bool
+	DisableVNCApproval            *bool
 	EnableSSHRoot                 *bool
 	EnableSSHSFTP                 *bool
 	EnableSSHLocalPortForwarding  *bool
@@ -117,6 +118,8 @@ type Config struct {
 	RosenpassEnabled              bool
 	RosenpassPermissive           bool
 	ServerSSHAllowed              *bool
+	ServerVNCAllowed              *bool
+	DisableVNCApproval            *bool
 	EnableSSHRoot                 *bool
 	EnableSSHSFTP                 *bool
 	EnableSSHLocalPortForwarding  *bool
@@ -175,23 +178,6 @@ type Config struct {
 	LazyConnectionEnabled bool

 	MTU uint16
-
-	// policy is the MDM policy that produced the currently-set values for
-	// any MDM-enforced fields. Set by applyMDMPolicy at the tail of apply()
-	// and reset on every apply() invocation. Never persisted to disk.
-	// Callers query enforcement state via Policy() and the mdm.Policy API
-	// (HasKey, ManagedKeys, IsEmpty).
-	policy *mdm.Policy `json:"-"`
-}
-
-// Policy returns the MDM policy applied to this Config. Returns a non-nil
-// empty Policy when MDM enforcement is inactive; callers can always invoke
-// HasKey / ManagedKeys / IsEmpty without a nil check.
-func (config *Config) Policy() *mdm.Policy {
-	if config == nil || config.policy == nil {
-		return mdm.NewPolicy(nil)
-	}
-	return config.policy
 }

 var ConfigDirOverride string
@@ -436,6 +422,33 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}

+	if input.ServerVNCAllowed != nil {
+		if config.ServerVNCAllowed == nil || *input.ServerVNCAllowed != *config.ServerVNCAllowed {
+			if *input.ServerVNCAllowed {
+				log.Infof("enabling VNC server")
+			} else {
+				log.Infof("disabling VNC server")
+			}
+			config.ServerVNCAllowed = input.ServerVNCAllowed
+			updated = true
+		}
+	} else if config.ServerVNCAllowed == nil {
+		config.ServerVNCAllowed = util.False()
+		updated = true
+	}
+
+	if input.DisableVNCApproval != nil {
+		if config.DisableVNCApproval == nil || *input.DisableVNCApproval != *config.DisableVNCApproval {
+			if *input.DisableVNCApproval {
+				log.Infof("disabling VNC connection approval prompt")
+			} else {
+				log.Infof("enabling VNC connection approval prompt")
+			}
+			config.DisableVNCApproval = input.DisableVNCApproval
+			updated = true
+		}
+	}
+
 	if input.EnableSSHRoot != nil && input.EnableSSHRoot != config.EnableSSHRoot {
 		if *input.EnableSSHRoot {
 			log.Infof("enabling SSH root login")
@@ -630,96 +643,10 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}

-	// MDM is the last override layer: any key present in the policy
-	// supersedes defaults, on-disk config, env vars and CLI input.
-	config.applyMDMPolicy(loadMDMPolicy())
-
 	return updated, nil
 }

-// loadMDMPolicy is the package-level indirection used by apply() to read the
-// active MDM policy. Tests override this to inject a fake policy.
-var loadMDMPolicy = mdm.LoadPolicy
-
-// applyMDMPolicy overlays MDM-supplied values on top of the resolved Config.
-// The provided Policy is also stored on the Config so callers can later query
-// which fields are enforced. Invalid values (e.g. malformed URLs) are logged
-// and skipped to avoid bricking the client; the field keeps its previous
-// resolved value but is still marked as managed (Policy.HasKey returns true
-// for the key, so per-field rejection of user writes still applies).
-func (config *Config) applyMDMPolicy(policy *mdm.Policy) {
-	config.policy = policy
-	if policy.IsEmpty() {
-		return
-	}
-
-	// Helper: log the application of a single MDM-managed key. Values for
-	// keys in mdm.SecretKeys are redacted.
-	logApplied := func(key string, displayValue any) {
-		if _, secret := mdm.SecretKeys[key]; secret {
-			log.Infof("MDM override %s = ********** (secret)", key)
-			return
-		}
-		log.Infof("MDM override %s = %v", key, displayValue)
-	}
-
-	if v, ok := policy.GetString(mdm.KeyManagementURL); ok {
-		if u, err := parseURL("Management URL", v); err != nil {
-			log.Warnf("MDM management URL %q invalid: %v; keeping previous value", v, err)
-		} else {
-			config.ManagementURL = u
-			logApplied(mdm.KeyManagementURL, u.String())
-		}
-	}
-
-	if v, ok := policy.GetString(mdm.KeyPreSharedKey); ok {
-		// Defensive: refuse the redaction mask in case it round-tripped
-		// through a manifest by mistake.
-		if !isPreSharedKeyHidden(&v) {
-			config.PreSharedKey = v
-			logApplied(mdm.KeyPreSharedKey, "")
-		}
-	}
-
-	// applyBool collapses the per-key "read + set + log" boilerplate
-	// for every plain bool MDM key into a single helper. Keeps the
-	// outer function's cognitive complexity below SonarCube's
-	// threshold; functional behaviour is identical to the inlined
-	// branches it replaces.
-	applyBool := func(key string, setter func(bool)) {
-		v, ok := policy.GetBool(key)
-		if !ok {
-			return
-		}
-		setter(v)
-		logApplied(key, v)
-	}
-
-	applyBool(mdm.KeyAllowServerSSH, func(v bool) { bv := v; config.ServerSSHAllowed = &bv })
-	applyBool(mdm.KeyDisableClientRoutes, func(v bool) { config.DisableClientRoutes = v })
-	applyBool(mdm.KeyDisableServerRoutes, func(v bool) { config.DisableServerRoutes = v })
-	applyBool(mdm.KeyBlockInbound, func(v bool) { config.BlockInbound = v })
-	applyBool(mdm.KeyDisableAutoConnect, func(v bool) { config.DisableAutoConnect = v })
-	applyBool(mdm.KeyRosenpassEnabled, func(v bool) { config.RosenpassEnabled = v })
-	applyBool(mdm.KeyRosenpassPermissive, func(v bool) { config.RosenpassPermissive = v })
-
-	if v, ok := policy.GetInt(mdm.KeyWireguardPort); ok {
-		// REG_DWORD is 32-bit; UDP port range is 1-65535. Clamp at the
-		// upper bound and reject obviously-invalid values to avoid the
-		// engine binding to an unusable port if the admin pushes garbage.
-		if v >= 1 && v <= 65535 {
-			config.WgPort = int(v)
-			logApplied(mdm.KeyWireguardPort, v)
-		} else {
-			log.Warnf("MDM wireguard port %d out of range [1,65535]; keeping previous value", v)
-		}
-	}
-}
-
-// parseURL parses and validates the URL for the named service.
-// It requires the URL to use the http or https scheme and, if no port is present,
-// appends ":443" for https or ":80" for http. On success it returns the parsed
-// ":80" is appended. The `serviceName` is used to contextualize error messages.
+// parseURL parses and validates a service URL
 func parseURL(serviceName, serviceURL string) (*url.URL, error) {
 	parsedMgmtURL, err := url.ParseRequestURI(serviceURL)
 	if err != nil {
--- a/client/internal/profilemanager/config_mdm_test.go
+++ b/client/internal/profilemanager/config_mdm_test.go
@@ -1,152 +0,0 @@
-package profilemanager
-
-import (
-	"path/filepath"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/mdm"
-)
-
-// withMDMPolicy temporarily overrides the package-level loadMDMPolicy hook so
-// apply() observes the supplied Policy. The original loader is restored at
-// test cleanup.
-func withMDMPolicy(t *testing.T, policy *mdm.Policy) {
-	t.Helper()
-	prev := loadMDMPolicy
-	loadMDMPolicy = func() *mdm.Policy { return policy }
-	t.Cleanup(func() { loadMDMPolicy = prev })
-}
-
-func TestApply_MDMEmpty_NoEnforcement(t *testing.T) {
-	withMDMPolicy(t, mdm.NewPolicy(nil))
-
-	cfg, err := UpdateOrCreateConfig(ConfigInput{
-		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, cfg)
-
-	assert.True(t, cfg.Policy().IsEmpty(), "no MDM source ⇒ empty Policy")
-	assert.False(t, cfg.Policy().HasKey(mdm.KeyManagementURL))
-	assert.Empty(t, cfg.Policy().ManagedKeys())
-
-	// Default management URL still resolves.
-	assert.Equal(t, DefaultManagementURL, cfg.ManagementURL.String())
-}
-
-func TestApply_MDMOnly_OverridesDefaults(t *testing.T) {
-	const mdmURL = "https://corp.mdm.example.com:443"
-	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
-		mdm.KeyManagementURL:       mdmURL,
-		mdm.KeyDisableClientRoutes: true,
-		mdm.KeyBlockInbound:        true,
-	}))
-
-	cfg, err := UpdateOrCreateConfig(ConfigInput{
-		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, cfg)
-
-	assert.Equal(t, mdmURL, cfg.ManagementURL.String())
-	assert.True(t, cfg.DisableClientRoutes)
-	assert.True(t, cfg.BlockInbound)
-
-	assert.True(t, cfg.Policy().HasKey(mdm.KeyManagementURL))
-	assert.True(t, cfg.Policy().HasKey(mdm.KeyDisableClientRoutes))
-	assert.True(t, cfg.Policy().HasKey(mdm.KeyBlockInbound))
-	assert.False(t, cfg.Policy().HasKey(mdm.KeyAllowServerSSH))
-}
-
-func TestApply_MDMBeatsCLIInput(t *testing.T) {
-	const mdmURL = "https://mdm.example.com:443"
-	const cliURL = "https://cli.example.com:443"
-
-	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
-		mdm.KeyManagementURL: mdmURL,
-	}))
-
-	cfg, err := UpdateOrCreateConfig(ConfigInput{
-		ConfigPath:    filepath.Join(t.TempDir(), "config.json"),
-		ManagementURL: cliURL,
-	})
-	require.NoError(t, err)
-	require.NotNil(t, cfg)
-
-	// MDM wins over CLI-supplied management URL.
-	assert.Equal(t, mdmURL, cfg.ManagementURL.String())
-	assert.True(t, cfg.Policy().HasKey(mdm.KeyManagementURL))
-}
-
-func TestApply_MDMInvalidURL_KeepsPreviousValue(t *testing.T) {
-	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
-		mdm.KeyManagementURL: "not-a-url",
-	}))
-
-	cfg, err := UpdateOrCreateConfig(ConfigInput{
-		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, cfg)
-
-	// Invalid MDM URL is logged and skipped: default URL stays in place
-	// to keep the client functional.
-	assert.Equal(t, DefaultManagementURL, cfg.ManagementURL.String())
-
-	// But the key is still considered MDM-managed (admin intent is to
-	// enforce, daemon rejects user writes to this field — phase-1 scaffolding
-	// reflects this by keeping Policy.HasKey true even on parse failure).
-	assert.True(t, cfg.Policy().HasKey(mdm.KeyManagementURL))
-}
-
-func TestApply_MDMBoolKeysOverrideOnDiskValue(t *testing.T) {
-	tmp := filepath.Join(t.TempDir(), "config.json")
-
-	// Seed without MDM.
-	withMDMPolicy(t, mdm.NewPolicy(nil))
-	_, err := UpdateOrCreateConfig(ConfigInput{
-		ConfigPath:          tmp,
-		DisableClientRoutes: boolPtr(false),
-		RosenpassEnabled:    boolPtr(false),
-	})
-	require.NoError(t, err)
-
-	// Now enable MDM enforcement for these keys.
-	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
-		mdm.KeyDisableClientRoutes: true,
-		mdm.KeyRosenpassEnabled:    true,
-	}))
-
-	cfg, err := UpdateOrCreateConfig(ConfigInput{ConfigPath: tmp})
-	require.NoError(t, err)
-	require.NotNil(t, cfg)
-
-	assert.True(t, cfg.DisableClientRoutes, "MDM override should flip on-disk false to true")
-	assert.True(t, cfg.RosenpassEnabled)
-	assert.True(t, cfg.Policy().HasKey(mdm.KeyDisableClientRoutes))
-	assert.True(t, cfg.Policy().HasKey(mdm.KeyRosenpassEnabled))
-}
-
-func TestApply_MDMPreSharedKeyRedactionSentinelRejected(t *testing.T) {
-	const maskSentinel = "**********"
-
-	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
-		mdm.KeyPreSharedKey: maskSentinel,
-	}))
-
-	cfg, err := UpdateOrCreateConfig(ConfigInput{
-		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, cfg)
-
-	// Mask sentinel must not be persisted as the actual PSK.
-	assert.NotEqual(t, maskSentinel, cfg.PreSharedKey)
-	// Key still marked managed so user writes are still rejected.
-	assert.True(t, cfg.Policy().HasKey(mdm.KeyPreSharedKey))
-}
-
-func boolPtr(b bool) *bool { return &b }
--- a/client/internal/rosenpass/manager.go
+++ b/client/internal/rosenpass/manager.go
@@ -28,15 +28,6 @@ func hashRosenpassKey(key []byte) string {
 	return hex.EncodeToString(hasher.Sum(nil))
 }

-// rpServer is the subset of rp.Server used by Manager. Defined as an interface
-// so tests can substitute a mock without spinning up a real UDP server.
-type rpServer interface {
-	AddPeer(rp.PeerConfig) (rp.PeerID, error)
-	RemovePeer(rp.PeerID) error
-	Run() error
-	Close() error
-}
-
 type Manager struct {
 	ifaceName    string
 	spk          []byte
@@ -45,7 +36,7 @@ type Manager struct {
 	preSharedKey *[32]byte
 	rpPeerIDs    map[string]*rp.PeerID
 	rpWgHandler  *NetbirdHandler
-	server       rpServer
+	server       *rp.Server
 	lock         sync.Mutex
 	port         int
 	wgIface      PresharedKeySetter
@@ -60,22 +51,7 @@ func NewManager(preSharedKey *wgtypes.Key, wgIfaceName string) (*Manager, error)

 	rpKeyHash := hashRosenpassKey(public)
 	log.Tracef("generated new rosenpass key pair with public key %s", rpKeyHash)
-	return &Manager{
-		ifaceName:    wgIfaceName,
-		rpKeyHash:    rpKeyHash,
-		spk:          public,
-		ssk:          secret,
-		preSharedKey: (*[32]byte)(preSharedKey),
-		rpPeerIDs:    make(map[string]*rp.PeerID),
-		// rpWgHandler is created here (instead of only in generateConfig) so it
-		// is never nil between NewManager and Run(). Otherwise an early
-		// OnConnected call (race observed on Android, issue #4341) panics on
-		// nil receiver in addPeer -> m.rpWgHandler.AddPeer. generateConfig will
-		// replace it with a fresh handler on each Run() to clear stale peer
-		// state from previous engine sessions.
-		rpWgHandler: NewNetbirdHandler(),
-		lock:        sync.Mutex{},
-	}, nil
+	return &Manager{ifaceName: wgIfaceName, rpKeyHash: rpKeyHash, spk: public, ssk: secret, preSharedKey: (*[32]byte)(preSharedKey), rpPeerIDs: make(map[string]*rp.PeerID), lock: sync.Mutex{}}, nil
 }

 func (m *Manager) GetPubKey() []byte {
@@ -89,16 +65,6 @@ func (m *Manager) GetAddress() *net.UDPAddr {

 // addPeer adds a new peer to the Rosenpass server
 func (m *Manager) addPeer(rosenpassPubKey []byte, rosenpassAddr string, wireGuardIP string, wireGuardPubKey string) error {
-	// Defense in depth against issue #4341 (Android crash): if Run() has not
-	// completed yet, m.server / m.rpWgHandler may be nil. Return an explicit
-	// error instead of panicking on nil-receiver dereference.
-	if m.server == nil {
-		return fmt.Errorf("rosenpass server not initialized")
-	}
-	if m.rpWgHandler == nil {
-		return fmt.Errorf("rosenpass wg handler not initialized")
-	}
-
 	var err error
 	pcfg := rp.PeerConfig{PublicKey: rosenpassPubKey}
 	if m.preSharedKey != nil {
@@ -113,16 +79,6 @@ func (m *Manager) addPeer(rosenpassPubKey []byte, rosenpassAddr string, wireGuar
 		if pcfg.Endpoint, err = net.ResolveUDPAddr("udp", peerAddr); err != nil {
 			return fmt.Errorf("failed to resolve peer endpoint address: %w", err)
 		}
-		// Our local Rosenpass UDP server binds on the IPv6 wildcard ([::]) — see
-		// GetAddress(). The remote peer's endpoint (pcfg.Endpoint) is the destination
-		// our server will sendto when initiating handshakes. ResolveUDPAddr returns a
-		// 4-byte IPv4 for IPv4 hosts, which the kernel rejects (EDESTADDRREQ) when
-		// sent from an AF_INET6 socket. Normalize the remote endpoint to IPv4-mapped
-		// IPv6 so its address family matches our listening socket.
-		// TODO: maybe bind the Rosenpass UDP server to the peer wg IP addr
-		if v4 := pcfg.Endpoint.IP.To4(); v4 != nil {
-			pcfg.Endpoint.IP = v4.To16()
-		}
 	}
 	peerID, err := m.server.AddPeer(pcfg)
 	if err != nil {
@@ -226,31 +182,24 @@ func (m *Manager) Run() error {
 		return err
 	}

-	server, err := rp.NewUDPServer(conf)
+	m.server, err = rp.NewUDPServer(conf)
 	if err != nil {
 		return err
 	}

-	m.lock.Lock()
-	m.server = server
-	m.lock.Unlock()
-
 	log.Infof("starting rosenpass server on port %d", m.port)

-	return server.Run()
+	return m.server.Run()
 }

 // Close closes the Rosenpass server
 func (m *Manager) Close() error {
-	m.lock.Lock()
-	server := m.server
-	m.server = nil
-	m.lock.Unlock()
-	if server == nil {
-		return nil
-	}
-	if err := server.Close(); err != nil {
-		log.Errorf("failed closing local rosenpass server: %v", err)
+	if m.server != nil {
+		err := m.server.Close()
+		if err != nil {
+			log.Errorf("failed closing local rosenpass server")
+		}
+		m.server = nil
 	}
 	return nil
 }
--- a/client/internal/rosenpass/manager_test.go
+++ b/client/internal/rosenpass/manager_test.go
@@ -1,412 +1,14 @@
 package rosenpass

 import (
-	"errors"
-	"os"
-	"sync"
 	"testing"

-	rp "cunicu.li/go-rosenpass"
 	"github.com/stretchr/testify/require"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )

-// --- test doubles -----------------------------------------------------------
-
-type addPeerCall struct {
-	cfg rp.PeerConfig
-}
-
-type removePeerCall struct {
-	id rp.PeerID
-}
-
-type mockServer struct {
-	mu         sync.Mutex
-	addCalls   []addPeerCall
-	removed    []removePeerCall
-	nextID     rp.PeerID
-	addErr     error
-	removeErr  error
-	closed     bool
-	ran        bool
-}
-
-func (m *mockServer) AddPeer(cfg rp.PeerConfig) (rp.PeerID, error) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.addCalls = append(m.addCalls, addPeerCall{cfg: cfg})
-	if m.addErr != nil {
-		return rp.PeerID{}, m.addErr
-	}
-	// Increment a byte in nextID so distinct peers get distinct IDs.
-	m.nextID[0]++
-	return m.nextID, nil
-}
-
-func (m *mockServer) RemovePeer(id rp.PeerID) error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.removed = append(m.removed, removePeerCall{id: id})
-	return m.removeErr
-}
-
-func (m *mockServer) Run() error  { m.ran = true; return nil }
-func (m *mockServer) Close() error { m.closed = true; return nil }
-
-type setPSKCall struct {
-	peerKey    string
-	psk        wgtypes.Key
-	updateOnly bool
-}
-
-type mockIface struct {
-	mu    sync.Mutex
-	calls []setPSKCall
-	err   error
-}
-
-func (m *mockIface) SetPresharedKey(peerKey string, psk wgtypes.Key, updateOnly bool) error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.calls = append(m.calls, setPSKCall{peerKey: peerKey, psk: psk, updateOnly: updateOnly})
-	return m.err
-}
-
-// newTestManager builds a Manager with deterministic spk so tie-break
-// against a peer pubkey is controllable from tests. The provided spk byte
-// becomes the first byte; remaining bytes are zero.
-func newTestManager(spkFirstByte byte, mock *mockServer) *Manager {
-	spk := make([]byte, 32)
-	spk[0] = spkFirstByte
-	return &Manager{
-		ifaceName:   "wt0",
-		spk:         spk,
-		ssk:         make([]byte, 32),
-		rpKeyHash:   "test-hash",
-		rpPeerIDs:   make(map[string]*rp.PeerID),
-		rpWgHandler: NewNetbirdHandler(),
-		server:      mock,
-	}
-}
-
-// validWGKey returns a deterministic 32-byte wireguard public key (base64).
-func validWGKey(t *testing.T, lastByte byte) string {
-	t.Helper()
-	var k wgtypes.Key
-	k[31] = lastByte
-	return k.String()
-}
-
-// --- pure helpers ----------------------------------------------------------
-
-func TestHashRosenpassKey_Deterministic(t *testing.T) {
-	key := []byte("hello-rosenpass")
-	require.Equal(t, hashRosenpassKey(key), hashRosenpassKey(key))
-	require.Len(t, hashRosenpassKey(key), 64) // sha256 hex
-}
-
-func TestHashRosenpassKey_DifferentInputsDifferOutputs(t *testing.T) {
-	require.NotEqual(t, hashRosenpassKey([]byte("a")), hashRosenpassKey([]byte("b")))
-}
-
-func TestGetLogLevel_DefaultWhenUnset(t *testing.T) {
-	// Snapshot + unset to exercise the LookupEnv ok=false branch. t.Setenv
-	// can only set, not delete, so do it manually with restore via t.Cleanup.
-	prev, hadPrev := os.LookupEnv(defaultLogLevelVar)
-	require.NoError(t, os.Unsetenv(defaultLogLevelVar))
-	t.Cleanup(func() {
-		if hadPrev {
-			_ = os.Setenv(defaultLogLevelVar, prev)
-		} else {
-			_ = os.Unsetenv(defaultLogLevelVar)
-		}
-	})
-	require.Equal(t, defaultLog.String(), getLogLevel().String())
-}
-
-func TestGetLogLevel_Cases(t *testing.T) {
-	cases := map[string]string{
-		"debug":   "DEBUG",
-		"info":    "INFO",
-		"warn":    "WARN",
-		"error":   "ERROR",
-		"unknown": "INFO", // default fallback
-	}
-	for input, wantStr := range cases {
-		input, wantStr := input, wantStr
-		t.Run(input, func(t *testing.T) {
-			t.Setenv(defaultLogLevelVar, input)
-			require.Equal(t, wantStr, getLogLevel().String())
-		})
-	}
-}
-
 func TestFindRandomAvailableUDPPort(t *testing.T) {
 	port, err := findRandomAvailableUDPPort()
 	require.NoError(t, err)
 	require.Greater(t, port, 0)
 	require.LessOrEqual(t, port, 65535)
 }
-
-// --- addPeer ---------------------------------------------------------------
-
-func TestAddPeer_HigherLocalPubkey_SetsEndpoint(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv) // local spk lexicographically larger
-
-	remotePubKey := make([]byte, 32) // remote spk = all zeros (smaller)
-	err := m.addPeer(remotePubKey, "rosenpass-host:7000", "100.1.1.1", validWGKey(t, 1))
-	require.NoError(t, err)
-	require.Len(t, srv.addCalls, 1)
-
-	ep := srv.addCalls[0].cfg.Endpoint
-	require.NotNil(t, ep, "initiator side must set Endpoint")
-	require.Equal(t, 7000, ep.Port)
-	require.Equal(t, "100.1.1.1", ep.IP.String())
-}
-
-func TestAddPeer_HigherLocalPubkey_EndpointIPIsIPv4Mapped(t *testing.T) {
-	// Regression guard for the EDESTADDRREQ fix: Endpoint.IP must be 16-byte
-	// (IPv4-mapped IPv6) so it matches the AF_INET6 listening socket family.
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
-	require.NoError(t, err)
-
-	ep := srv.addCalls[0].cfg.Endpoint
-	require.NotNil(t, ep)
-	require.Len(t, ep.IP, 16, "IPv4 endpoint must be normalized to 16-byte v4-mapped form")
-	require.True(t, ep.IP.To4() != nil, "Endpoint must still be detected as IPv4")
-}
-
-func TestAddPeer_LowerLocalPubkey_LeavesEndpointNil(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0x00, srv) // local spk smaller
-
-	remotePubKey := make([]byte, 32)
-	remotePubKey[0] = 0xFF
-	err := m.addPeer(remotePubKey, "rp:5000", "100.1.1.1", validWGKey(t, 2))
-	require.NoError(t, err)
-
-	require.Nil(t, srv.addCalls[0].cfg.Endpoint, "responder side must NOT set Endpoint")
-}
-
-func TestAddPeer_PresharedKeyPropagated(t *testing.T) {
-	srv := &mockServer{}
-	psk := &wgtypes.Key{0x42}
-	m := newTestManager(0xFF, srv)
-	m.preSharedKey = (*[32]byte)(psk)
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 3))
-	require.NoError(t, err)
-	require.Equal(t, [32]byte(*psk), [32]byte(srv.addCalls[0].cfg.PresharedKey))
-}
-
-func TestAddPeer_InvalidRosenpassAddr_ReturnsError(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv) // initiator path → parses rosenpassAddr
-
-	err := m.addPeer(make([]byte, 32), "not-a-host-port", "100.1.1.1", validWGKey(t, 1))
-	require.Error(t, err)
-	require.Empty(t, srv.addCalls, "server.AddPeer must not run when address parse fails")
-}
-
-func TestAddPeer_InvalidWireGuardPubKey_ReturnsError(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", "not-a-valid-key")
-	require.Error(t, err)
-}
-
-func TestAddPeer_ServerError_Propagates(t *testing.T) {
-	srv := &mockServer{addErr: errors.New("boom")}
-	m := newTestManager(0xFF, srv)
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
-	require.Error(t, err)
-}
-
-// Regression guard for issue #4341 (Android crash). If Run() has not completed
-// before OnConnected fires, m.rpWgHandler or m.server may be nil. Without the
-// nil guards, m.rpWgHandler.AddPeer panics on nil receiver.
-func TestAddPeer_NilHandler_ReturnsErrorNoCrash(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-	m.rpWgHandler = nil // simulate Run() not yet completed
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "wg handler not initialized")
-}
-
-func TestAddPeer_NilServer_ReturnsErrorNoCrash(t *testing.T) {
-	m := newTestManager(0xFF, nil)
-	m.server = nil // simulate Run() not yet completed
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "server not initialized")
-}
-
-// NewManager must pre-initialize rpWgHandler so the nil-receiver crash from
-// issue #4341 cannot occur in the window between NewManager and Run().
-func TestNewManager_PreInitializesHandler(t *testing.T) {
-	psk := wgtypes.Key{}
-	m, err := NewManager(&psk, "wt0")
-	require.NoError(t, err)
-	require.NotNil(t, m.rpWgHandler, "rpWgHandler must be initialized in NewManager")
-}
-
-func TestAddPeer_RecordsPeerID(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	wgKey := validWGKey(t, 5)
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", wgKey)
-	require.NoError(t, err)
-	require.Contains(t, m.rpPeerIDs, wgKey)
-}
-
-// --- OnConnected / OnDisconnected ------------------------------------------
-
-func TestOnConnected_NilRemotePubKey_NoAddPeer(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	m.OnConnected(validWGKey(t, 1), nil, "100.1.1.1", "rp:5000")
-	require.Empty(t, srv.addCalls, "nil remote rosenpass pubkey must skip AddPeer")
-	require.Empty(t, m.rpPeerIDs)
-}
-
-func TestOnConnected_ValidPubKey_CallsAddPeer(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	wgKey := validWGKey(t, 1)
-	m.OnConnected(wgKey, make([]byte, 32), "100.1.1.1", "rp:5000")
-	require.Len(t, srv.addCalls, 1)
-	require.Contains(t, m.rpPeerIDs, wgKey)
-}
-
-func TestOnDisconnected_UnknownPeer_NoOp(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	m.OnDisconnected(validWGKey(t, 99))
-	require.Empty(t, srv.removed, "unknown peer key must not call RemovePeer")
-}
-
-func TestOnDisconnected_KnownPeer_CallsRemoveAndForgets(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	wgKey := validWGKey(t, 1)
-	require.NoError(t, m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", wgKey))
-	require.Contains(t, m.rpPeerIDs, wgKey)
-
-	m.OnDisconnected(wgKey)
-	require.Len(t, srv.removed, 1)
-	require.NotContains(t, m.rpPeerIDs, wgKey, "peer must be forgotten after disconnect")
-}
-
-// --- IsPresharedKeyInitialized ---------------------------------------------
-
-func TestIsPresharedKeyInitialized_UnknownPeer_ReturnsFalse(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-	require.False(t, m.IsPresharedKeyInitialized(validWGKey(t, 1)))
-}
-
-func TestIsPresharedKeyInitialized_AddedButNotHandshaken_ReturnsFalse(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	wgKey := validWGKey(t, 2)
-	require.NoError(t, m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", wgKey))
-	require.False(t, m.IsPresharedKeyInitialized(wgKey))
-}
-
-// --- NetbirdHandler.outputKey ----------------------------------------------
-
-func TestHandler_OutputKey_FirstCallUsesUpdateOnlyFalse(t *testing.T) {
-	h := NewNetbirdHandler()
-	iface := &mockIface{}
-	h.SetInterface(iface)
-
-	pid := rp.PeerID{0x01}
-	wgKey := wgtypes.Key{0xAA}
-	h.AddPeer(pid, "wt0", rp.Key(wgKey))
-
-	psk := rp.Key{0xBB}
-	h.HandshakeCompleted(pid, psk)
-
-	require.Len(t, iface.calls, 1)
-	require.False(t, iface.calls[0].updateOnly, "first PSK rotation must use updateOnly=false")
-	require.Equal(t, wgKey.String(), iface.calls[0].peerKey)
-}
-
-func TestHandler_OutputKey_SubsequentCallsUseUpdateOnlyTrue(t *testing.T) {
-	h := NewNetbirdHandler()
-	iface := &mockIface{}
-	h.SetInterface(iface)
-
-	pid := rp.PeerID{0x02}
-	h.AddPeer(pid, "wt0", rp.Key(wgtypes.Key{0xCC}))
-
-	h.HandshakeCompleted(pid, rp.Key{0x01}) // first
-	h.HandshakeCompleted(pid, rp.Key{0x02}) // second
-
-	require.Len(t, iface.calls, 2)
-	require.False(t, iface.calls[0].updateOnly)
-	require.True(t, iface.calls[1].updateOnly, "subsequent rotations must use updateOnly=true")
-}
-
-func TestHandler_OutputKey_NilInterface_NoCrashNoCall(t *testing.T) {
-	h := NewNetbirdHandler()
-	// no SetInterface — iface remains nil
-	pid := rp.PeerID{0x03}
-	h.AddPeer(pid, "wt0", rp.Key(wgtypes.Key{}))
-
-	// Must not panic.
-	h.HandshakeCompleted(pid, rp.Key{})
-}
-
-func TestHandler_OutputKey_UnknownPeer_NoCall(t *testing.T) {
-	h := NewNetbirdHandler()
-	iface := &mockIface{}
-	h.SetInterface(iface)
-
-	h.HandshakeCompleted(rp.PeerID{0xFF}, rp.Key{})
-	require.Empty(t, iface.calls, "unknown peer id must not trigger SetPresharedKey")
-}
-
-func TestHandler_RemovePeer_ClearsInitializedState(t *testing.T) {
-	h := NewNetbirdHandler()
-	iface := &mockIface{}
-	h.SetInterface(iface)
-
-	pid := rp.PeerID{0x04}
-	h.AddPeer(pid, "wt0", rp.Key(wgtypes.Key{0xDD}))
-	h.HandshakeCompleted(pid, rp.Key{0x01})
-	require.True(t, h.IsPeerInitialized(pid))
-
-	h.RemovePeer(pid)
-	require.False(t, h.IsPeerInitialized(pid), "RemovePeer must clear initialized flag")
-}
-
-func TestHandler_SetInterfaceAfterAddPeer_StillReceivesKey(t *testing.T) {
-	h := NewNetbirdHandler()
-	pid := rp.PeerID{0x05}
-	wgKey := wgtypes.Key{0xEE}
-	h.AddPeer(pid, "wt0", rp.Key(wgKey))
-
-	iface := &mockIface{}
-	h.SetInterface(iface) // set after AddPeer
-
-	h.HandshakeCompleted(pid, rp.Key{0x42})
-	require.Len(t, iface.calls, 1)
-	require.Equal(t, wgKey.String(), iface.calls[0].peerKey)
-}
--- a/client/internal/rosenpass/seed.go
+++ b/client/internal/rosenpass/seed.go
@@ -1,42 +0,0 @@
-package rosenpass
-
-import (
-	"fmt"
-
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-)
-
-// DeterministicSeedKey derives a 32-byte WireGuard preshared key from a pair
-// of peer public keys. Both peers, given the same key pair, produce the same
-// output regardless of which side runs the function: the inputs are ordered
-// lexicographically before concatenation.
-//
-// NetBird uses this value as the initial Rosenpass-side preshared key when no
-// explicit account-level PSK is configured, so both peers converge on the same
-// PSK before the first post-quantum handshake completes.
-//
-// The resulting key MUST NOT be treated as quantum-safe: it is deterministic
-// from public keys and exists only to seed WireGuard until Rosenpass rotates
-// in a real post-quantum PSK.
-func DeterministicSeedKey(localKey, remoteKey string) (*wgtypes.Key, error) {
-	lk := []byte(localKey)
-	rk := []byte(remoteKey)
-	if len(lk) < 16 || len(rk) < 16 {
-		return nil, fmt.Errorf("rosenpass: peer keys must be at least 16 bytes (got local=%d, remote=%d)", len(lk), len(rk))
-	}
-
-	var keyInput []byte
-	if localKey > remoteKey {
-		keyInput = append(keyInput, lk[:16]...)
-		keyInput = append(keyInput, rk[:16]...)
-	} else {
-		keyInput = append(keyInput, rk[:16]...)
-		keyInput = append(keyInput, lk[:16]...)
-	}
-
-	key, err := wgtypes.NewKey(keyInput)
-	if err != nil {
-		return nil, fmt.Errorf("rosenpass: deterministic seed key: %w", err)
-	}
-	return &key, nil
-}
--- a/client/internal/rosenpass/seed_test.go
+++ b/client/internal/rosenpass/seed_test.go
@@ -1,44 +0,0 @@
-package rosenpass
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestDeterministicSeedKey_SameForBothSides(t *testing.T) {
-	// Peer A and peer B must derive the same PSK regardless of which side
-	// computes it: the function orders inputs internally.
-	a := strings.Repeat("a", 32)
-	b := strings.Repeat("b", 32)
-
-	keyAB, err := DeterministicSeedKey(a, b)
-	require.NoError(t, err)
-	keyBA, err := DeterministicSeedKey(b, a)
-	require.NoError(t, err)
-	require.Equal(t, keyAB.String(), keyBA.String(), "swapping arguments must yield identical key")
-}
-
-func TestDeterministicSeedKey_ChangesWithKeys(t *testing.T) {
-	a := strings.Repeat("a", 32)
-	b := strings.Repeat("b", 32)
-	c := strings.Repeat("c", 32)
-
-	keyAB, err := DeterministicSeedKey(a, b)
-	require.NoError(t, err)
-	keyAC, err := DeterministicSeedKey(a, c)
-	require.NoError(t, err)
-	require.NotEqual(t, keyAB.String(), keyAC.String(), "different peer pair must yield different key")
-}
-
-func TestDeterministicSeedKey_TooShortKey_ReturnsError(t *testing.T) {
-	short := "short" // < 16 bytes
-	long := strings.Repeat("x", 32)
-
-	_, err := DeterministicSeedKey(short, long)
-	require.Error(t, err)
-	_, err = DeterministicSeedKey(long, short)
-	require.Error(t, err)
-}
-
--- a/client/internal/routemanager/systemops/routeflags_addfilter_bsd.go
+++ b/client/internal/routemanager/systemops/routeflags_addfilter_bsd.go
@@ -1,9 +0,0 @@
-//go:build dragonfly || freebsd || netbsd || openbsd
-
-package systemops
-
-// IgnoreAddedDefaultRoute reports whether an RTM_ADD default route with the
-// given flags should be ignored by the network monitor.
-func IgnoreAddedDefaultRoute(flags int) bool {
-	return filterRoutesByFlags(flags)
-}
--- a/client/internal/routemanager/systemops/routeflags_addfilter_darwin.go
+++ b/client/internal/routemanager/systemops/routeflags_addfilter_darwin.go
@@ -1,21 +0,0 @@
-//go:build darwin
-
-package systemops
-
-import "golang.org/x/sys/unix"
-
-// IgnoreAddedDefaultRoute reports whether an RTM_ADD default route with the
-// given flags should be ignored by the network monitor. Scoped routes
-// (RTF_IFSCOPE) are tied to a specific interface index and cannot replace the
-// unscoped default the kernel uses for general egress, so flapping ones (e.g.
-// Wi-Fi calling IMS tunnels on ipsec0, Docker bridges, scoped utun defaults)
-// must not trigger an engine restart.
-func IgnoreAddedDefaultRoute(flags int) bool {
-	if filterRoutesByFlags(flags) {
-		return true
-	}
-	if flags&unix.RTF_IFSCOPE != 0 {
-		return true
-	}
-	return false
-}
--- a/client/internal/statemanager/manager.go
+++ b/client/internal/statemanager/manager.go
@@ -74,6 +74,14 @@ func New(filePath string) *Manager {
 	}
 }

+// FilePath returns the path of the underlying state file.
+func (m *Manager) FilePath() string {
+	if m == nil {
+		return ""
+	}
+	return m.filePath
+}
+
 // Start starts the state manager periodic save routine
 func (m *Manager) Start() {
 	if m == nil {
@@ -96,19 +104,17 @@ func (m *Manager) Stop(ctx context.Context) error {
 	}

 	m.mu.Lock()
-	cancel := m.cancel
-	done := m.done
-	m.mu.Unlock()
+	defer m.mu.Unlock()

-	if cancel == nil {
+	if m.cancel == nil {
 		return nil
 	}
-	cancel()
+	m.cancel()

 	select {
 	case <-ctx.Done():
 		return ctx.Err()
-	case <-done:
+	case <-m.done:
 	}

 	return nil
--- a/client/internal/syncstore/disk.go
+++ b/client/internal/syncstore/disk.go
@@ -1,99 +0,0 @@
-package syncstore
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"os"
-	"path/filepath"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/protobuf/proto"
-
-	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
-	"github.com/netbirdio/netbird/util"
-)
-
-// syncResponseFileName is the name of the file the sync response is serialized
-// to, placed inside the configured directory (the state directory).
-const syncResponseFileName = "networkmap.pb"
-
-// diskStore serializes the latest sync response to a file on disk instead of
-// keeping it in memory. This trades disk I/O for a much smaller memory
-// footprint, which matters on memory-constrained platforms (iOS).
-type diskStore struct {
-	mu   sync.Mutex
-	path string
-}
-
-// NewDiskStore returns a Store that serializes the sync response to a file in
-// the given directory. If dir is empty it falls back to the OS temp directory.
-//
-// Any file left over from a previous run is removed on construction so a fresh
-// store never reads stale data (e.g. another profile's network map).
-func NewDiskStore(dir string) Store {
-	if dir == "" {
-		dir = os.TempDir()
-	}
-	s := &diskStore{
-		path: filepath.Join(dir, syncResponseFileName),
-	}
-	if err := s.Clear(); err != nil {
-		log.Warnf("failed to clear stale sync response file: %v", err)
-	}
-	return s
-}
-
-func (s *diskStore) Set(resp *mgmProto.SyncResponse) error {
-	if resp == nil {
-		return s.Clear()
-	}
-
-	bs, err := proto.Marshal(resp)
-	if err != nil {
-		return fmt.Errorf("marshal sync response: %w", err)
-	}
-
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if err := util.WriteBytesWithRestrictedPermission(context.Background(), s.path, bs); err != nil {
-		return fmt.Errorf("write sync response to %s: %w", s.path, err)
-	}
-
-	log.Debugf("sync response persisted to %s (%d bytes)", s.path, len(bs))
-	return nil
-}
-
-func (s *diskStore) Get() (*mgmProto.SyncResponse, error) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	bs, err := os.ReadFile(s.path)
-	if err != nil {
-		if errors.Is(err, os.ErrNotExist) {
-			//nolint:nilnil // nil,nil means "nothing stored", per the Store contract; preserve the original behaviour
-			return nil, nil
-		}
-		return nil, fmt.Errorf("read sync response from %s: %w", s.path, err)
-	}
-
-	resp := &mgmProto.SyncResponse{}
-	if err := proto.Unmarshal(bs, resp); err != nil {
-		return nil, fmt.Errorf("unmarshal sync response: %w", err)
-	}
-
-	log.Debugf("retrieving latest sync response from %s (%d bytes)", s.path, len(bs))
-	return resp, nil
-}
-
-func (s *diskStore) Clear() error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if err := os.Remove(s.path); err != nil && !errors.Is(err, os.ErrNotExist) {
-		return fmt.Errorf("remove sync response file %s: %w", s.path, err)
-	}
-	return nil
-}
--- a/client/internal/syncstore/factory_ios.go
+++ b/client/internal/syncstore/factory_ios.go
@@ -1,9 +0,0 @@
-//go:build ios
-
-package syncstore
-
-// New returns the platform default store. On iOS the sync response is
-// serialized to disk (in dir) to keep it out of the constrained process memory.
-func New(dir string) Store {
-	return NewDiskStore(dir)
-}
--- a/client/internal/syncstore/factory_other.go
+++ b/client/internal/syncstore/factory_other.go
@@ -1,9 +0,0 @@
-//go:build !ios
-
-package syncstore
-
-// New returns the platform default store. On all non-iOS platforms the sync
-// response is kept in memory; dir is unused.
-func New(_ string) Store {
-	return NewMemoryStore()
-}
--- a/client/internal/syncstore/memory.go
+++ b/client/internal/syncstore/memory.go
@@ -1,56 +0,0 @@
-package syncstore
-
-import (
-	"fmt"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/protobuf/proto"
-
-	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// memoryStore keeps the latest sync response in memory.
-type memoryStore struct {
-	mu     sync.RWMutex
-	latest *mgmProto.SyncResponse
-}
-
-// NewMemoryStore returns a Store that keeps the sync response in memory.
-func NewMemoryStore() Store {
-	return &memoryStore{}
-}
-
-func (s *memoryStore) Set(resp *mgmProto.SyncResponse) error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	s.latest = resp
-	return nil
-}
-
-func (s *memoryStore) Get() (*mgmProto.SyncResponse, error) {
-	s.mu.RLock()
-	latest := s.latest
-	s.mu.RUnlock()
-
-	if latest == nil {
-		//nolint:nilnil // nil,nil means "nothing stored", per the Store contract; preserve the original behaviour
-		return nil, nil
-	}
-
-	log.Debugf("retrieving latest sync response with size %d bytes", proto.Size(latest))
-	sr, ok := proto.Clone(latest).(*mgmProto.SyncResponse)
-	if !ok {
-		return nil, fmt.Errorf("clone sync response")
-	}
-	return sr, nil
-}
-
-func (s *memoryStore) Clear() error {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	s.latest = nil
-	return nil
-}
--- a/client/internal/syncstore/syncstore.go
+++ b/client/internal/syncstore/syncstore.go
@@ -1,29 +0,0 @@
-// Package syncstore stores the latest Management sync response (which carries
-// the network map) for debug bundle generation.
-//
-// The storage backend is selected at build time per operating system: on iOS
-// the response is serialized to disk to keep it out of the (tightly
-// constrained) process memory, while on all other platforms it is kept in
-// memory. The backend is chosen by the New constructor; see factory_ios.go and
-// factory_other.go.
-package syncstore
-
-import (
-	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// Store persists the latest sync response and returns it on demand.
-//
-// Implementations must be safe for concurrent use.
-type Store interface {
-	// Set stores the given sync response, replacing any previously stored one.
-	Set(resp *mgmProto.SyncResponse) error
-
-	// Get returns the stored sync response, or nil if none is stored.
-	// The returned value is an independent copy that the caller may retain.
-	Get() (*mgmProto.SyncResponse, error)
-
-	// Clear removes any stored sync response. It is safe to call when nothing
-	// is stored.
-	Clear() error
-}
--- a/client/internal/updater/manager.go
+++ b/client/internal/updater/manager.go
@@ -19,6 +19,8 @@ import (

 const (
 	latestVersion = "latest"
+	// this version will be ignored
+	developmentVersion = "development"
 )

 var errNoUpdateState = errors.New("no update state found")
@@ -481,7 +483,7 @@ func (m *Manager) loadAndDeleteUpdateState(ctx context.Context) (*UpdateState, e
 }

 func (m *Manager) shouldUpdate(updateVersion *v.Version, forceUpdate bool) bool {
-	if version.IsDevelopmentVersion(m.currentVersion) {
+	if m.currentVersion == developmentVersion {
 		log.Debugf("skipping auto-update, running development version")
 		return false
 	}
--- a/client/mdm/canonical_loaders.go
+++ b/client/mdm/canonical_loaders.go
@@ -1,25 +0,0 @@
-//go:build windows || darwin
-
-package mdm
-
-import "strings"
-
-// canonicalKey maps the lowercase form of a managed-config value name to
-// its canonical mdm.Key* form. Admins commonly write PascalCase value
-// names in ADMX / Group Policy ("ManagementURL"); the iOS/AppConfig and
-// macOS plist conventions are camelCase ("managementURL"); both must
-// resolve to the same Policy lookup.
-//
-// Lives in a desktop-loader-only file (build tag `windows || darwin`)
-// because no other build path consumes it. Linux / FreeBSD / mobile
-// builds don't ship a platform loader that reads arbitrary-case key
-// names, so they don't need the canonicalisation table — and including
-// the var unconditionally would trigger the `unused` golangci-lint
-// check on those platforms.
-var canonicalKey = func() map[string]string {
-	m := make(map[string]string, len(AllKeys))
-	for _, k := range AllKeys {
-		m[strings.ToLower(k)] = k
-	}
-	return m
-}()
--- a/client/mdm/policy.go
+++ b/client/mdm/policy.go
@@ -1,278 +0,0 @@
-// Package mdm reads MDM-managed configuration from platform-native sources
-// (plist on macOS, registry on Windows, UserDefaults on iOS,
-// RestrictionsManager on Android). The returned Policy is consumed by
-// profilemanager.Config.apply() as the highest-priority override layer.
-//
-// An empty Policy (no source present, or source present with zero keys)
-// means no MDM enforcement is active and the client behaves as if the
-// feature did not exist.
-package mdm
-
-import (
-	"sort"
-	"strconv"
-
-	log "github.com/sirupsen/logrus"
-)
-
-// Well-known policy keys. Names mirror the corresponding ConfigInput Go field
-// names (lowerCamelCase) so the daemon can map a Policy key directly to a
-// configuration field.
-const (
-	KeyManagementURL            = "managementURL"
-	KeyDisableUpdateSettings    = "disableUpdateSettings"
-	KeyDisableProfiles          = "disableProfiles"
-	KeyDisableNetworks          = "disableNetworks"
-	KeyDisableClientRoutes      = "disableClientRoutes"
-	KeyDisableServerRoutes      = "disableServerRoutes"
-	KeyBlockInbound             = "blockInbound"
-	KeyDisableMetricsCollection = "disableMetricsCollection"
-	KeyAllowServerSSH           = "allowServerSSH"
-	KeyDisableAutoConnect       = "disableAutoConnect"
-	KeyPreSharedKey             = "preSharedKey"
-	KeyRosenpassEnabled         = "rosenpassEnabled"
-	KeyRosenpassPermissive      = "rosenpassPermissive"
-	KeyWireguardPort            = "wireguardPort"
-
-	// Split tunnel is modeled as a single conceptual policy with two
-	// registry/plist values. KeySplitTunnelMode is the discriminator
-	// ("allow" or "disallow"); KeySplitTunnelApps is a comma-separated
-	// list of package names. The values are mutually exclusive by
-	// construction — only one mode can be set at a time.
-	KeySplitTunnelMode = "splitTunnelMode"
-	KeySplitTunnelApps = "splitTunnelApps"
-)
-
-// Split-tunnel mode literals (KeySplitTunnelMode values).
-const (
-	SplitTunnelModeAllow    = "allow"
-	SplitTunnelModeDisallow = "disallow"
-)
-
-// AllKeys is the set of recognised MDM keys. Unknown keys in a managed
-// configuration are ignored but logged.
-var AllKeys = []string{
-	KeyManagementURL,
-	KeyDisableUpdateSettings,
-	KeyDisableProfiles,
-	KeyDisableNetworks,
-	KeyDisableClientRoutes,
-	KeyDisableServerRoutes,
-	KeyBlockInbound,
-	KeyDisableMetricsCollection,
-	KeyAllowServerSSH,
-	KeyDisableAutoConnect,
-	KeyPreSharedKey,
-	KeyRosenpassEnabled,
-	KeyRosenpassPermissive,
-	KeyWireguardPort,
-	KeySplitTunnelMode,
-	KeySplitTunnelApps,
-}
-
-// SecretKeys lists keys whose values must be redacted in logs.
-var SecretKeys = map[string]struct{}{
-	KeyPreSharedKey: {},
-}
-
-
-// Policy holds MDM-managed settings read from the platform source. A nil or
-// empty Policy means no enforcement is active.
-type Policy struct {
-	values map[string]any
-}
-
-// NewPolicy constructs a Policy from a key→value map. Pass nil or an empty
-// NewPolicy constructs a Policy backed by the provided key→value map.
-// If values is nil it is replaced with an empty map so the returned *Policy
-// NewPolicy constructs a non-nil *Policy that wraps the provided key/value map.
-// If values is nil it is replaced with an empty map so the returned Policy always
-// represents "no MDM enforcement" when its values are empty.
-func NewPolicy(values map[string]any) *Policy {
-	if values == nil {
-		values = map[string]any{}
-	}
-	return &Policy{values: values}
-}
-
-// LoadPolicy reads the platform-native MDM configuration. Returns an empty
-// (but non-nil) Policy when no source is present, the source is empty, or
-// the platform is unsupported.
-//
-// Diagnostic logging differentiates the three states:
-//   - source absent / unsupported platform: trace log only
-//   - source present, zero keys:             info "MDM enrolled (no managed keys)"
-// LoadPolicy loads MDM-managed configuration from the platform and returns a Policy representing the managed settings.
-// If the platform loader fails or returns nil, LoadPolicy returns a non-nil empty Policy.
-// LoadPolicy loads platform-managed MDM key/value pairs and returns a non-nil Policy.
-// If the platform loader returns an error or a nil map, an empty Policy is returned.
-// On loader error a trace-level message is emitted. When a map is returned, an
-// informational message is logged either indicating enrollment with no managed keys
-// or the count and a stable, sorted list of managed key names.
-func LoadPolicy() *Policy {
-	values, err := loadPlatformPolicy()
-	if err != nil {
-		log.Tracef("MDM policy load: %v", err)
-		return &Policy{values: map[string]any{}}
-	}
-	if values == nil {
-		return &Policy{values: map[string]any{}}
-	}
-	if len(values) == 0 {
-		log.Info("MDM enrolled (no managed keys)")
-	} else {
-		log.Infof("MDM enrolled with %d managed key(s): %v", len(values), sortedKeys(values))
-	}
-	return &Policy{values: values}
-}
-
-// IsEmpty reports whether the Policy has no managed keys.
-func (p *Policy) IsEmpty() bool {
-	return p == nil || len(p.values) == 0
-}
-
-// HasKey reports whether the given key is MDM-managed.
-func (p *Policy) HasKey(key string) bool {
-	if p == nil {
-		return false
-	}
-	_, ok := p.values[key]
-	return ok
-}
-
-// ManagedKeys returns the sorted list of managed key names. Returns an empty
-// slice (not nil) on an empty Policy.
-func (p *Policy) ManagedKeys() []string {
-	if p == nil {
-		return []string{}
-	}
-	return sortedKeys(p.values)
-}
-
-// GetString returns the managed value for key coerced to string, and whether
-// the key was set. A non-string value returns ("", false).
-func (p *Policy) GetString(key string) (string, bool) {
-	if p == nil {
-		return "", false
-	}
-	v, ok := p.values[key]
-	if !ok {
-		return "", false
-	}
-	s, ok := v.(string)
-	if !ok || s == "" {
-		return "", false
-	}
-	return s, true
-}
-
-// boolStringLiterals enumerates the textual boolean encodings the
-// platform loaders may produce (Windows REG_SZ "true", iOS / Android
-// managed-config booleans-as-strings, etc.). Lookup keeps GetBool flat
-// (no nested switch on the string case).
-var boolStringLiterals = map[string]bool{
-	"true":  true,
-	"1":     true,
-	"yes":   true,
-	"false": false,
-	"0":     false,
-	"no":    false,
-}
-
-// GetBool returns the managed value for key coerced to bool, and whether the
-// key was set. Accepts native bool and string literals "true"/"false"/"1"/"0".
-func (p *Policy) GetBool(key string) (bool, bool) {
-	if p == nil {
-		return false, false
-	}
-	v, ok := p.values[key]
-	if !ok {
-		return false, false
-	}
-	switch t := v.(type) {
-	case bool:
-		return t, true
-	case string:
-		b, known := boolStringLiterals[t]
-		return b, known
-	case int:
-		return t != 0, true
-	case int64:
-		return t != 0, true
-	}
-	return false, false
-}
-
-// GetInt returns the managed value for key as int64, and whether the key
-// was set. Accepts native int / int64 (as produced by the Windows registry
-// loader for REG_DWORD/REG_QWORD) and numeric strings (decimal).
-func (p *Policy) GetInt(key string) (int64, bool) {
-	if p == nil {
-		return 0, false
-	}
-	v, ok := p.values[key]
-	if !ok {
-		return 0, false
-	}
-	switch t := v.(type) {
-	case int64:
-		return t, true
-	case int:
-		return int64(t), true
-	case int32:
-		return int64(t), true
-	case uint64:
-		return int64(t), true
-	case float64:
-		return int64(t), true
-	case string:
-		if n, err := strconv.ParseInt(t, 10, 64); err == nil {
-			return n, true
-		}
-	}
-	return 0, false
-}
-
-// GetStringSlice returns the managed value for key as []string, and whether
-// the key was set. Accepts []string, []any (of strings), and a single string
-// (treated as a one-element list).
-func (p *Policy) GetStringSlice(key string) ([]string, bool) {
-	if p == nil {
-		return nil, false
-	}
-	v, ok := p.values[key]
-	if !ok {
-		return nil, false
-	}
-	switch t := v.(type) {
-	case []string:
-		return append([]string(nil), t...), true
-	case []any:
-		out := make([]string, 0, len(t))
-		for _, item := range t {
-			s, ok := item.(string)
-			if !ok {
-				return nil, false
-			}
-			out = append(out, s)
-		}
-		return out, true
-	case string:
-		return []string{t}, true
-	}
-	return nil, false
-}
-
-// sortedKeys returns the keys of m as a deterministic, lexicographically
-// sorted slice. Used internally by Policy.ManagedKeys and LoadPolicy's
-// diagnostic log line so callers see a stable key order across runs
-// sortedKeys returns the keys of m as a lexicographically sorted slice.
-// The sorted order provides a deterministic key ordering for diagnostics and enumeration.
-func sortedKeys(m map[string]any) []string {
-	out := make([]string, 0, len(m))
-	for k := range m {
-		out = append(out, k)
-	}
-	sort.Strings(out)
-	return out
-}
--- a/client/mdm/policy_darwin.go
+++ b/client/mdm/policy_darwin.go
@@ -1,99 +0,0 @@
-//go:build darwin && !ios
-
-package mdm
-
-import (
-	"errors"
-	"fmt"
-	"io/fs"
-	"os"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-	"howett.net/plist"
-)
-
-// policyPlistPath is the well-known location where macOS writes the
-// device-level mandatory MDM payload for NetBird. The path is fixed by
-// Apple convention: when an MDM provider (Jamf / Kandji / Mosyle /
-// Intune for Mac / Workspace ONE) pushes a Configuration Profile that
-// contains a com.apple.ManagedClient.preferences payload targeting the
-// bundle id io.netbird.client, the OS materializes the payload here.
-//
-// Read-only — only the OS (root) is supposed to write this file. The
-// loader sanity-checks the file mode and refuses to honour a world-
-// writable plist, as a defense against tampered installs.
-const policyPlistPath = "/Library/Managed Preferences/io.netbird.client.plist"
-
-// loadPlatformPolicy reads the MDM-managed configuration from the macOS
-// managed-preferences plist. Returns:
-//   - (nil, nil)  when the plist is absent (device not MDM-enrolled for
-//     NetBird, or admin has not yet pushed a payload)
-//   - (map, nil)  with N entries when N managed values are present
-//     (N may be 0 — empty plist still signals enrollment to the caller)
-//   - (nil, err)  on permission / parse / safety errors
-//
-// Value-type coercion mirrors the Windows loader: native plist types
-// map naturally onto the Policy accessor expectations (GetString /
-// GetBool / GetInt / GetStringSlice). Unknown top-level keys are
-// logged and skipped so a stray entry in the payload does not block
-// loadPlatformPolicy reads the managed-preferences plist at policyPlistPath and returns recognised MDM key/value pairs.
-//
-// If the plist file does not exist, it returns (nil, nil). It returns a wrapped error on open/stat/decode failures.
-// The function refuses to read a world-writable plist and returns an error in that case.
-// loadPlatformPolicy reads the device-level managed-preferences plist and returns its recognized keys.
-// 
-// It looks for the plist at policyPlistPath and, if present, decodes it into a map[string]any.
-// Top-level plist keys are canonicalized case-insensitively to the package's internal MDM key names;
-// unknown keys are logged and ignored. If the plist file does not exist, it returns (nil, nil).
-// The function refuses to read the file if it is world-writable and returns a wrapped error for
-// failures to open, stat, or decode the plist.
-func loadPlatformPolicy() (map[string]any, error) {
-	f, err := os.Open(policyPlistPath)
-	if err != nil {
-		if errors.Is(err, fs.ErrNotExist) {
-			// Not enrolled for NetBird. Caller treats nil as
-			// "no MDM source present".
-			//nolint:nilnil // (nil, nil) is the documented platform-absent sentinel; see LoadPolicy.
-			return nil, nil
-		}
-		return nil, fmt.Errorf("open %s: %w", policyPlistPath, err)
-	}
-	defer func() {
-		if closeErr := f.Close(); closeErr != nil {
-			log.Warnf("MDM close plist %s: %v", policyPlistPath, closeErr)
-		}
-	}()
-
-	info, err := f.Stat()
-	if err != nil {
-		return nil, fmt.Errorf("stat %s: %w", policyPlistPath, err)
-	}
-	// World-writable plist => tampered install. Refuse rather than
-	// honour potentially attacker-controlled policy values.
-	if info.Mode().Perm()&0o002 != 0 {
-		return nil, fmt.Errorf("refusing to read world-writable MDM source %s (mode %o)",
-			policyPlistPath, info.Mode().Perm())
-	}
-
-	raw := make(map[string]any)
-	if err := plist.NewDecoder(f).Decode(&raw); err != nil {
-		return nil, fmt.Errorf("decode plist %s: %w", policyPlistPath, err)
-	}
-
-	out := make(map[string]any, len(raw))
-	for name, val := range raw {
-		// macOS / AppConfig conventions both use camelCase for managed
-		// preferences keys; canonicalize to the mdm.Key* form so a key
-		// written as "ManagementURL" (PascalCase, rare on macOS but
-		// possible if the admin reused an ADMX-style name) still
-		// resolves.
-		canonical, known := canonicalKey[strings.ToLower(name)]
-		if !known {
-			log.Warnf("MDM ignoring unknown plist key %s: %s", policyPlistPath, name)
-			continue
-		}
-		out[canonical] = val
-	}
-	return out, nil
-}
--- a/client/mdm/policy_mobile.go
+++ b/client/mdm/policy_mobile.go
@@ -1,14 +0,0 @@
-//go:build ios || android
-
-package mdm
-
-// loadPlatformPolicy is unused on mobile: the native layer (Swift on iOS,
-// Kotlin/Java on Android) reads the OS managed-config store and pushes the
-// resulting dictionary in-process via a gomobile entry point that lands in
-// Phase 5 / Phase 6. The stub keeps the package compilable for mobile
-// builds and returns (nil, nil) — the platform-absent sentinel that
-// LoadPolicy in policy.go treats as "no MDM source present".
-func loadPlatformPolicy() (map[string]any, error) {
-	//nolint:nilnil // (nil, nil) is the documented platform-absent sentinel; see LoadPolicy.
-	return nil, nil
-}
--- a/client/mdm/policy_other.go
+++ b/client/mdm/policy_other.go
@@ -1,14 +0,0 @@
-//go:build !windows && !darwin && !ios && !android
-
-package mdm
-
-// loadPlatformPolicy returns no policy on platforms without an MDM channel
-// (Linux, FreeBSD). MDM enforcement is off and the client behaves as if
-// the feature did not exist. Returns (nil, nil) — the platform-absent
-// sentinel the caller (LoadPolicy in policy.go) treats as "no MDM
-// source present"; an error here would just translate to the same
-// outcome with an extra log line.
-func loadPlatformPolicy() (map[string]any, error) {
-	//nolint:nilnil // (nil, nil) is the documented platform-absent sentinel; see LoadPolicy.
-	return nil, nil
-}
--- a/client/mdm/policy_test.go
+++ b/client/mdm/policy_test.go
@@ -1,160 +0,0 @@
-package mdm
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestPolicy_NilSafe(t *testing.T) {
-	var p *Policy
-	assert.True(t, p.IsEmpty())
-	assert.False(t, p.HasKey(KeyManagementURL))
-	assert.Empty(t, p.ManagedKeys())
-
-	_, ok := p.GetString(KeyManagementURL)
-	assert.False(t, ok)
-	_, ok = p.GetBool(KeyDisableProfiles)
-	assert.False(t, ok)
-	_, ok = p.GetStringSlice(KeySplitTunnelApps)
-	assert.False(t, ok)
-}
-
-func TestPolicy_Empty(t *testing.T) {
-	p := NewPolicy(nil)
-	require.NotNil(t, p)
-	assert.True(t, p.IsEmpty())
-	assert.False(t, p.HasKey(KeyManagementURL))
-	assert.Empty(t, p.ManagedKeys())
-}
-
-func TestPolicy_HasKey(t *testing.T) {
-	p := NewPolicy(map[string]any{
-		KeyManagementURL:    "https://corp.example.com",
-		KeyDisableProfiles:  true,
-	})
-	assert.False(t, p.IsEmpty())
-	assert.True(t, p.HasKey(KeyManagementURL))
-	assert.True(t, p.HasKey(KeyDisableProfiles))
-	assert.False(t, p.HasKey(KeyPreSharedKey))
-}
-
-func TestPolicy_ManagedKeysSorted(t *testing.T) {
-	p := NewPolicy(map[string]any{
-		KeyDisableProfiles: true,
-		KeyManagementURL:   "https://x",
-		KeyAllowServerSSH:  false,
-	})
-	got := p.ManagedKeys()
-	assert.Equal(t, []string{KeyAllowServerSSH, KeyDisableProfiles, KeyManagementURL}, got)
-}
-
-func TestPolicy_GetString(t *testing.T) {
-	p := NewPolicy(map[string]any{
-		KeyManagementURL:   "https://corp.example.com",
-		KeyDisableProfiles: true,            // wrong type for GetString
-		KeyPreSharedKey:        "",              // empty rejected
-	})
-	v, ok := p.GetString(KeyManagementURL)
-	assert.True(t, ok)
-	assert.Equal(t, "https://corp.example.com", v)
-
-	_, ok = p.GetString(KeyDisableProfiles)
-	assert.False(t, ok, "non-string value must not be reported as string")
-
-	_, ok = p.GetString(KeyPreSharedKey)
-	assert.False(t, ok, "empty string treated as unset")
-
-	_, ok = p.GetString("nonexistent")
-	assert.False(t, ok)
-}
-
-func TestPolicy_GetBool(t *testing.T) {
-	cases := []struct {
-		name string
-		raw  any
-		want bool
-		ok   bool
-	}{
-		{"native true", true, true, true},
-		{"native false", false, false, true},
-		{"string true", "true", true, true},
-		{"string false", "false", false, true},
-		{"string 1", "1", true, true},
-		{"string 0", "0", false, true},
-		{"string yes", "yes", true, true},
-		{"string no", "no", false, true},
-		{"int nonzero", 1, true, true},
-		{"int zero", 0, false, true},
-		{"int64 nonzero", int64(2), true, true},
-		{"int64 zero", int64(0), false, true},
-		{"string garbage", "maybe", false, false},
-		{"float unsupported", 1.0, false, false},
-	}
-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
-			p := NewPolicy(map[string]any{KeyDisableProfiles: c.raw})
-			got, ok := p.GetBool(KeyDisableProfiles)
-			assert.Equal(t, c.ok, ok)
-			if c.ok {
-				assert.Equal(t, c.want, got)
-			}
-		})
-	}
-
-	_, ok := NewPolicy(nil).GetBool(KeyDisableProfiles)
-	assert.False(t, ok)
-}
-
-func TestPolicy_GetStringSlice(t *testing.T) {
-	t.Run("native string slice", func(t *testing.T) {
-		p := NewPolicy(map[string]any{
-			KeySplitTunnelApps: []string{"com.a", "com.b"},
-		})
-		got, ok := p.GetStringSlice(KeySplitTunnelApps)
-		assert.True(t, ok)
-		assert.Equal(t, []string{"com.a", "com.b"}, got)
-	})
-
-	t.Run("any slice of strings", func(t *testing.T) {
-		p := NewPolicy(map[string]any{
-			KeySplitTunnelApps: []any{"com.a", "com.b"},
-		})
-		got, ok := p.GetStringSlice(KeySplitTunnelApps)
-		assert.True(t, ok)
-		assert.Equal(t, []string{"com.a", "com.b"}, got)
-	})
-
-	t.Run("single string lifts to one-element slice", func(t *testing.T) {
-		p := NewPolicy(map[string]any{
-			KeySplitTunnelApps: "com.a",
-		})
-		got, ok := p.GetStringSlice(KeySplitTunnelApps)
-		assert.True(t, ok)
-		assert.Equal(t, []string{"com.a"}, got)
-	})
-
-	t.Run("mixed any slice rejected", func(t *testing.T) {
-		p := NewPolicy(map[string]any{
-			KeySplitTunnelApps: []any{"com.a", 1},
-		})
-		_, ok := p.GetStringSlice(KeySplitTunnelApps)
-		assert.False(t, ok)
-	})
-
-	t.Run("missing key", func(t *testing.T) {
-		p := NewPolicy(nil)
-		_, ok := p.GetStringSlice(KeySplitTunnelApps)
-		assert.False(t, ok)
-	})
-}
-
-func TestLoadPolicy_PlatformStubReturnsEmpty(t *testing.T) {
-	// loadPlatformPolicy is a stub on every OS for Phase 1. LoadPolicy must
-	// degrade gracefully and never return nil.
-	p := LoadPolicy()
-	require.NotNil(t, p)
-	assert.True(t, p.IsEmpty())
-	assert.Empty(t, p.ManagedKeys())
-}
--- a/client/mdm/policy_windows.go
+++ b/client/mdm/policy_windows.go
@@ -1,119 +0,0 @@
-//go:build windows
-
-package mdm
-
-import (
-	"errors"
-	"fmt"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/windows/registry"
-)
-
-// policyRegistryPath is the well-known MDM policy registry key for NetBird.
-// Admins push values here through Group Policy, Intune ADMX ingestion, an
-// Intune custom Registry CSP profile, or `reg add` during MSI deployment.
-// Listed in the project's docs/mdm/netbird.admx schema.
-const policyRegistryPath = `Software\Policies\NetBird`
-
-// loadPlatformPolicy reads the MDM-managed configuration from the Windows
-// registry under HKLM\Software\Policies\NetBird. Returns:
-//   - (nil, nil)  when the key is absent (device not MDM-enrolled for NetBird)
-//   - (map, nil)  with N entries when N managed values are set (N may be 0)
-//   - (nil, err)  on any other registry error
-//
-// Type coercion of registry value types into the Policy map:
-//   - REG_SZ        -> string
-//   - REG_EXPAND_SZ -> string (expanded by the registry API)
-//   - REG_DWORD     -> int64 (caller's GetBool handles 0/!=0 coercion)
-//   - REG_QWORD     -> int64
-//   - REG_MULTI_SZ  -> []string
-//
-// Unsupported value types (REG_BINARY, REG_NONE, ...) are skipped with a
-// loadPlatformPolicy reads managed NetBird policy values from HKLM\Software\Policies\NetBird.
-// If the registry key does not exist it returns (nil, nil).
-// It returns a map whose keys are canonical policy names and whose values are coerced from registry types:
-// REG_SZ/REG_EXPAND_SZ -> string, REG_DWORD/REG_QWORD -> int64, REG_MULTI_SZ -> []string.
-// readRegistryValue reads the registry value named by name from key k and, when the value is successfully read and its type is supported, stores the coerced Go value in out[canonical].
-//
-// REG_SZ and REG_EXPAND_SZ are stored as string, REG_DWORD and REG_QWORD are stored as int64, and REG_MULTI_SZ is stored as []string; unknown value names, unsupported value types, and per-value read errors are logged and skipped.
-func readRegistryValue(k registry.Key, name, canonical string, out map[string]any) {
-	_, valType, err := k.GetValue(name, nil)
-	if err != nil {
-		log.Warnf("MDM stat %s\\%s: %v", policyRegistryPath, name, err)
-		return
-	}
-	switch valType {
-	case registry.SZ, registry.EXPAND_SZ:
-		if v, _, err := k.GetStringValue(name); err == nil {
-			out[canonical] = v
-		} else {
-			log.Warnf("MDM read string %s\\%s: %v", policyRegistryPath, name, err)
-		}
-	case registry.DWORD, registry.QWORD:
-		if v, _, err := k.GetIntegerValue(name); err == nil {
-			// uint64 from the registry API; Policy.GetBool / GetInt
-			// helpers consume int64, so narrow safely.
-			out[canonical] = int64(v)
-		} else {
-			log.Warnf("MDM read int %s\\%s: %v", policyRegistryPath, name, err)
-		}
-	case registry.MULTI_SZ:
-		if v, _, err := k.GetStringsValue(name); err == nil {
-			out[canonical] = v
-		} else {
-			log.Warnf("MDM read multi-string %s\\%s: %v", policyRegistryPath, name, err)
-		}
-	default:
-		log.Warnf("MDM ignoring unsupported registry value type %d at %s\\%s",
-			valType, policyRegistryPath, name)
-	}
-}
-
-// loadPlatformPolicy loads MDM-managed NetBird policy values from the Windows
-// registry at HKLM\Software\Policies\NetBird.
-// 
-// It returns a map that maps canonical policy names to coerced Go values:
-// string for REG_SZ/REG_EXPAND_SZ, int64 for REG_DWORD/REG_QWORD, and []string
-// for REG_MULTI_SZ. If the policy registry key does not exist, it returns
-// (nil, nil). It returns an error when opening or enumerating the registry
-// key fails. Individual values that are unknown, of unsupported types, or that
-// fail to read are skipped and produce logged warnings; registry close failures
-// are also logged.
-func loadPlatformPolicy() (map[string]any, error) {
-	k, err := registry.OpenKey(registry.LOCAL_MACHINE, policyRegistryPath, registry.QUERY_VALUE)
-	if err != nil {
-		if errors.Is(err, registry.ErrNotExist) {
-			// Not enrolled. Caller treats nil as "no MDM source present".
-			//nolint:nilnil // (nil, nil) is the documented platform-absent sentinel; see LoadPolicy.
-			return nil, nil
-		}
-		return nil, fmt.Errorf("open %s: %w", policyRegistryPath, err)
-	}
-	defer func() {
-		if closeErr := k.Close(); closeErr != nil {
-			log.Warnf("MDM close registry key %s: %v", policyRegistryPath, closeErr)
-		}
-	}()
-
-	names, err := k.ReadValueNames(-1)
-	if err != nil {
-		return nil, fmt.Errorf("enumerate values of %s: %w", policyRegistryPath, err)
-	}
-
-	out := make(map[string]any, len(names))
-	for _, name := range names {
-		// Canonicalize the registry value name against the known MDM key
-		// set so Policy.HasKey lookups (which use the canonical names)
-		// succeed regardless of the casing used by the admin's ADMX or
-		// `reg add` command.
-		canonical, known := canonicalKey[strings.ToLower(name)]
-		if !known {
-			log.Warnf("MDM ignoring unknown registry value %s\\%s", policyRegistryPath, name)
-			continue
-		}
-		readRegistryValue(k, name, canonical, out)
-	}
-	return out, nil
-}
--- a/client/mdm/ticker.go
+++ b/client/mdm/ticker.go
@@ -1,159 +0,0 @@
-package mdm
-
-import (
-	"context"
-	"reflect"
-	"sort"
-	"testing"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-// defaultReloadInterval is the production cadence at which the desktop daemon
-// re-reads the OS-native MDM policy. Picked to balance responsiveness against
-// registry/plist I/O overhead. Mobile builds use OS-side notifications
-// instead and bypass this ticker entirely. Unexported on purpose: callers do
-// not pass it — NewTicker owns the default (see reloadInterval).
-const defaultReloadInterval = 1 * time.Minute
-
-// testReloadInterval is the cadence used under `go test` (detected via
-// testing.Testing()) so the reload path is exercised in seconds rather than
-// minutes. It has no effect on production builds, where testing.Testing()
-// always returns false.
-const testReloadInterval = 1 * time.Second
-
-// reloadInterval returns the production cadence, or the accelerated test
-// cadence when running under `go test`. Centralising the choice here keeps
-// reloadInterval selects the polling interval used to re-read the OS-native MDM policy.
-// reloadInterval selects the polling interval used for policy reloads.
-// It returns testReloadInterval when running under `go test` (testing.Testing() == true), and defaultReloadInterval otherwise.
-func reloadInterval() time.Duration {
-	if testing.Testing() {
-		return testReloadInterval
-	}
-	return defaultReloadInterval
-}
-
-// policyLoader is the indirection through which the ticker reads the
-// OS-native policy, both for the initial observation and on every tick.
-// Production points it at LoadPolicy; tests in this package override it to
-// feed a scripted sequence of policies without touching the real OS store.
-var policyLoader = LoadPolicy
-
-// Ticker periodically re-reads the OS-native MDM policy via LoadPolicy and
-// invokes onChange whenever the observed Policy diverges from the last
-// observation (added / removed / changed keys). Launch with Run from a
-// goroutine; cancel the supplied context to stop.
-type Ticker struct {
-	interval time.Duration
-	onChange func(prev, curr *Policy)
-	prev     *Policy
-}
-
-// NewTicker constructs a Ticker that re-reads the OS-native policy every
-// reloadInterval() and invokes onChange on any diff. The cadence is owned by
-// reloadInterval (production default, accelerated under `go test`); callers
-// NewTicker creates a Ticker that polls the OS-native MDM policy at the package reload interval and invokes onChange when a policy change is detected.
-// If onChange is nil the ticker will only log detected changes.
-// NewTicker creates a Ticker that polls for policy changes and invokes onChange when a difference is detected.
-// 
-// The provided onChange callback, if non-nil, is called with the previous and current Policy snapshots when a
-// change is observed. The returned Ticker's polling interval is set via reloadInterval and its initial snapshot
-// is populated by calling policyLoader.
-func NewTicker(onChange func(prev, curr *Policy)) *Ticker {
-	return &Ticker{
-		interval: reloadInterval(),
-		onChange: onChange,
-		prev:     policyLoader(),
-	}
-}
-
-// Run blocks until ctx is cancelled, polling the OS-native policy store at
-// the configured cadence and emitting log lines + onChange callback on
-// every observed diff.
-func (t *Ticker) Run(ctx context.Context) {
-	tk := time.NewTicker(t.interval)
-	defer tk.Stop()
-	log.Infof("MDM policy reload ticker started (interval=%s)", t.interval)
-	for {
-		select {
-		case <-ctx.Done():
-			log.Info("MDM policy reload ticker stopped")
-			return
-		case <-tk.C:
-			curr := policyLoader()
-			if PoliciesEqual(t.prev, curr) {
-				continue
-			}
-			added, removed, changed := diffPolicies(t.prev, curr)
-			log.Infof("MDM policy changed: added=%v removed=%v changed=%v",
-				added, removed, changed)
-			prev := t.prev
-			t.prev = curr
-			if t.onChange != nil {
-				t.onChange(prev, curr)
-			}
-		}
-	}
-}
-
-// PoliciesEqual reports whether two Policy instances carry the same managed
-// PoliciesEqual reports whether two Policy instances represent the same policy.
-// It returns true when both policies are empty, returns false if one pointer is nil
-// while the other is not, and otherwise compares the policies' underlying value
-// maps for deep equality.
-func PoliciesEqual(a, b *Policy) bool {
-	if a.IsEmpty() && b.IsEmpty() {
-		return true
-	}
-	if a == nil || b == nil {
-		return false
-	}
-	return reflect.DeepEqual(a.values, b.values)
-}
-
-// diffPolicies returns the keys added in curr, removed from prev, and whose
-// diffPolicies reports keys that were added, removed, or changed between two policies.
-// The returned slices contain keys present only in `curr` (added), only in `prev` (removed),
-// and present in both but whose values differ (changed). Each slice is sorted
-// lexicographically for stable logging output; value differences are determined
-// associated values differ by deep equality.
-func diffPolicies(prev, curr *Policy) (added, removed, changed []string) {
-	prevKeys := mapOf(prev)
-	currKeys := mapOf(curr)
-	for k := range currKeys {
-		if _, ok := prevKeys[k]; !ok {
-			added = append(added, k)
-		} else if !reflect.DeepEqual(prevKeys[k], currKeys[k]) {
-			changed = append(changed, k)
-		}
-	}
-	for k := range prevKeys {
-		if _, ok := currKeys[k]; !ok {
-			removed = append(removed, k)
-		}
-	}
-	sort.Strings(added)
-	sort.Strings(removed)
-	sort.Strings(changed)
-	return added, removed, changed
-}
-
-// mapOf returns a (possibly empty, never nil) copy of the underlying values
-// map of a Policy so callers outside this package can compare across the
-// mapOf returns a non-nil copy of the given Policy's key/value map.
-// If p is nil, mapOf returns an empty map; otherwise it returns a newly
-// mapOf returns a non-nil copy of a Policy's values map.
-// If p is nil it returns an empty map; otherwise it returns a newly
-// allocated map containing the same key/value pairs as p.values.
-func mapOf(p *Policy) map[string]any {
-	if p == nil {
-		return map[string]any{}
-	}
-	out := make(map[string]any, len(p.values))
-	for k, v := range p.values {
-		out[k] = v
-	}
-	return out
-}
--- a/client/mdm/ticker_test.go
+++ b/client/mdm/ticker_test.go
@@ -1,100 +0,0 @@
-package mdm
-
-import (
-	"context"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-// withPolicyLoader overrides the package-level policyLoader for the duration
-// of the test so the ticker observes a scripted policy instead of the real
-// OS-native store. The original loader is restored on cleanup.
-func withPolicyLoader(t *testing.T, fn func() *Policy) {
-	t.Helper()
-	prev := policyLoader
-	policyLoader = fn
-	t.Cleanup(func() { policyLoader = prev })
-}
-
-func TestTicker_UsesTestCadenceUnderGoTest(t *testing.T) {
-	withPolicyLoader(t, func() *Policy { return NewPolicy(nil) })
-
-	// Under `go test`, testing.Testing() is true so reloadInterval() returns
-	// the accelerated 1s cadence instead of the minute-long production
-	// default — this is what makes the reload path observable without a real
-	// wall-clock wait.
-	assert.Equal(t, testReloadInterval, reloadInterval())
-	assert.Equal(t, testReloadInterval, NewTicker(nil).interval)
-}
-
-func TestTicker_FiresOnChangeWithDelta(t *testing.T) {
-	var mu sync.Mutex
-	current := NewPolicy(nil) // initial observation: empty (no enforcement)
-	withPolicyLoader(t, func() *Policy {
-		mu.Lock()
-		defer mu.Unlock()
-		return current
-	})
-
-	type change struct{ prev, curr *Policy }
-	changes := make(chan change, 1)
-	tk := NewTicker(func(prev, curr *Policy) {
-		select {
-		case changes <- change{prev, curr}:
-		default:
-		}
-	})
-	require.Equal(t, testReloadInterval, tk.interval)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	done := make(chan struct{})
-	go func() { tk.Run(ctx); close(done) }()
-	// Stop Run and wait for it to exit before returning, so the policyLoader
-	// restore in t.Cleanup can't race the ticker goroutine still reading it.
-	defer func() { cancel(); <-done }()
-
-	// Flip the OS-observed policy from empty to one managed key. The next
-	// tick must detect the diff and invoke onChange.
-	mu.Lock()
-	current = NewPolicy(map[string]any{KeyManagementURL: "https://mdm.example.com:443"})
-	mu.Unlock()
-
-	select {
-	case c := <-changes:
-		assert.True(t, c.prev.IsEmpty(), "prev should be the initial empty policy")
-		assert.True(t, c.curr.HasKey(KeyManagementURL), "curr should carry the newly-pushed managed key")
-	case <-time.After(5 * time.Second):
-		t.Fatal("onChange not invoked within 5s; ticker should fire every 1s under test")
-	}
-}
-
-func TestTicker_NoCallbackWhenPolicyUnchanged(t *testing.T) {
-	withPolicyLoader(t, func() *Policy {
-		return NewPolicy(map[string]any{KeyBlockInbound: true})
-	})
-
-	fired := make(chan struct{}, 1)
-	tk := NewTicker(func(_, _ *Policy) {
-		select {
-		case fired <- struct{}{}:
-		default:
-		}
-	})
-
-	ctx, cancel := context.WithCancel(context.Background())
-	done := make(chan struct{})
-	go func() { tk.Run(ctx); close(done) }()
-	defer func() { cancel(); <-done }()
-
-	// Over ~2 ticks at the 1s test cadence the policy never changes, so the
-	// diff guard must suppress the callback entirely.
-	select {
-	case <-fired:
-		t.Fatal("onChange fired despite an unchanged policy")
-	case <-time.After(2500 * time.Millisecond):
-	}
-}
--- a/client/netbird.wxs
+++ b/client/netbird.wxs
@@ -64,6 +64,13 @@
 					<RegistryValue Name="InstalledByMSI" Type="integer" Value="1" KeyPath="yes" />
 				</RegistryKey>
 			</Component>
+			<!-- Drop the HKCU Run\Netbird value written by legacy NSIS installers. -->
+			<Component Id="NetbirdLegacyHKCUCleanup" Guid="*">
+				<RegistryValue Root="HKCU" Key="Software\NetBird GmbH\Installer"
+					Name="LegacyHKCUCleanup" Type="integer" Value="1" KeyPath="yes" />
+				<RemoveRegistryValue Root="HKCU"
+					Key="Software\Microsoft\Windows\CurrentVersion\Run" Name="Netbird" />
+			</Component>
 		</StandardDirectory>

 		<StandardDirectory Id="CommonAppDataFolder">
@@ -76,10 +83,28 @@
 			</Directory>
 		</StandardDirectory>

+		<!-- Drop Run, App Paths and Uninstall entries written by legacy NSIS
+		     installers into the 32-bit registry view (HKLM\Software\Wow6432Node). -->
+		<Component Id="NetbirdLegacyWow6432Cleanup" Directory="NetbirdInstallDir"
+			Guid="bda5d628-16bd-4086-b2c1-5099d8d51763" Bitness="always32">
+			<RegistryValue Root="HKLM" Key="Software\NetBird GmbH\Installer"
+				Name="LegacyWow6432Cleanup" Type="integer" Value="1" KeyPath="yes" />
+			<RemoveRegistryValue Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\Run" Name="Netbird" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\App Paths\Netbird" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\App Paths\Netbird-ui" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\Uninstall\Netbird" />
+		</Component>
+
 		<ComponentGroup Id="NetbirdFilesComponent">
 			<ComponentRef Id="NetbirdFiles" />
 			<ComponentRef Id="NetbirdAumidRegistry" />
 			<ComponentRef Id="NetbirdAutoStart" />
+			<ComponentRef Id="NetbirdLegacyHKCUCleanup" />
+			<ComponentRef Id="NetbirdLegacyWow6432Cleanup" />
 		</ComponentGroup>

 		<util:CloseApplication Id="CloseNetBird" CloseMessage="no" Target="netbird.exe" RebootPrompt="no" />
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -119,6 +119,14 @@ service DaemonService {

  // ExposeService exposes a local port via the NetBird reverse proxy
  rpc ExposeService(ExposeServiceRequest) returns (stream ExposeServiceEvent) {}
+
+  // RespondApproval delivers the user's accept/deny decision for a
+  // pending user-approval prompt. The daemon pushes the prompt as a
+  // SystemEvent with category APPROVAL and metadata key "request_id";
+  // the UI calls this RPC with the same request_id to unblock whichever
+  // subsystem (VNC, SSH, ...) is waiting. The "kind" metadata key tells
+  // the UI which subsystem the prompt belongs to.
+  rpc RespondApproval(RespondApprovalRequest) returns (RespondApprovalResponse) {}
 }


@@ -205,6 +213,10 @@ message LoginRequest {
  optional bool disableSSHAuth = 38;
  optional int32 sshJWTCacheTTL = 39;
  optional bool disable_ipv6 = 40;
+
+  optional bool serverVNCAllowed = 41;
+
+  optional bool disableVNCApproval = 42;
 }

 message LoginResponse {
@@ -315,12 +327,9 @@ message GetConfigResponse {

  bool disable_ipv6 = 27;

-  // mDMManagedFields lists the names of configuration keys whose value is
-  // currently enforced by an MDM policy. Names match mdm.Key* constants
-  // (e.g. "managementURL", "disableClientRoutes"). UI/CLI clients should
-  // render the corresponding inputs as read-only and display a "managed
-  // by MDM" indicator.
-  repeated string mDMManagedFields = 28;
+  bool serverVNCAllowed = 28;
+
+  bool disableVNCApproval = 29;
 }

 // PeerState contains the latest state of a peer
@@ -356,7 +365,6 @@ message LocalPeerState {
  bool rosenpassPermissive = 6;
  repeated string networks = 7;
  string ipv6 = 8;
-  int32 wgPort = 9;
 }

 // SignalState contains the latest state of a signal connection
@@ -402,6 +410,25 @@ message SSHServerState {
  repeated SSHSessionInfo sessions = 2;
 }

+// VNCSessionInfo contains information about an active VNC session
+message VNCSessionInfo {
+  string remoteAddress = 1;
+  string mode = 2;
+  string username = 3;
+  // userID is the Noise-verified session identity (hashed user ID from
+  // the ACL session-key entry), empty when auth is disabled.
+  string userID = 4;
+  // initiator is the human-readable display name of the dashboard user
+  // who minted the SessionPubKey, when known.
+  string initiator = 5;
+}
+
+// VNCServerState contains the latest state of the VNC server
+message VNCServerState {
+  bool enabled = 1;
+  repeated VNCSessionInfo sessions = 2;
+}
+
 // FullStatus contains the full state held by the Status instance
 message FullStatus {
  ManagementState managementState = 1;
@@ -416,6 +443,7 @@ message FullStatus {

  bool lazyConnectionEnabled = 9;
  SSHServerState sshServerState = 10;
+  VNCServerState vncServerState = 11;
 }

 // Networks
@@ -479,7 +507,6 @@ message DebugBundleRequest {
  bool systemInfo = 3;
  string uploadURL = 4;
  uint32 logFileCount = 5;
-  string cliVersion = 6;
 }

 message DebugBundleResponse {
@@ -604,6 +631,7 @@ message SystemEvent {
    AUTHENTICATION = 2;
    CONNECTIVITY = 3;
    SYSTEM = 4;
+    APPROVAL = 5;
  }

  string id = 1;
@@ -687,6 +715,10 @@ message SetConfigRequest {
  optional bool disableSSHAuth = 33;
  optional int32 sshJWTCacheTTL = 34;
  optional bool disable_ipv6 = 35;
+
+  optional bool serverVNCAllowed = 36;
+
+  optional bool disableVNCApproval = 37;
 }

 message SetConfigResponse{}
@@ -740,15 +772,6 @@ message GetFeaturesResponse{
  bool disable_networks = 3;
 }

-// MDMManagedFieldsViolation is attached as a gRPC error detail on a
-// FailedPrecondition status returned from SetConfig (and similar mutating
-// RPCs) when the caller tries to modify one or more MDM-enforced fields.
-// The fields list contains the offending key names; the entire request is
-// rejected (no partial apply).
-message MDMManagedFieldsViolation {
-  repeated string fields = 1;
-}
-
 message TriggerUpdateRequest {}

 message TriggerUpdateResponse {
@@ -890,3 +913,18 @@ message StartBundleCaptureRequest {
 message StartBundleCaptureResponse {}
 message StopBundleCaptureRequest {}
 message StopBundleCaptureResponse {}
+
+message RespondApprovalRequest {
+  // request_id matches the SystemEvent metadata key emitted by the daemon
+  // when a subsystem awaits user approval for an inbound connection.
+  string request_id = 1;
+  // accept is true if the user approved the request, false if they
+  // denied it. A missing or unknown request_id is treated as a no-op.
+  bool accept = 2;
+  // view_only signals that the user granted the connection but withheld
+  // input control. Only meaningful when accept is true; ignored when
+  // accept is false.
+  bool view_only = 3;
+}
+
+message RespondApprovalResponse {}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Viktor Liu	144dfbc12c	Capture listener locally in accept loops to avoid nil deref on Stop	2026-05-25 17:02:28 +02:00
Viktor Liu	6c9465df54	Handle Lstat error in purgeStaleAgentSubdir	2026-05-25 15:52:30 +02:00
Viktor Liu	6cd5d6084f	Split prepareAgentSocketDir to reduce cognitive complexity	2026-05-25 15:09:28 +02:00
Viktor Liu	3bcacffd2c	Rename xauth_linux.go to xauth_x11.go so FreeBSD picks it up	2026-05-25 14:10:01 +02:00
Viktor Liu	65f302b698	Authenticate virtual X11 sessions with per-session MIT-MAGIC-COOKIE-1	2026-05-25 13:26:29 +02:00
Viktor Liu	2f67841b1e	Reuse /var/run/netbird as VNC agent socket parent via configs.RuntimeDir	2026-05-25 11:11:07 +02:00
Viktor Liu	bf2fb2fd44	Address CodeRabbit review on embedded VNC PR	2026-05-24 18:52:57 +02:00
Viktor Liu	4e3e3ce6d3	Surface VNC initiator in status, clarify proxy logs, dampen capture noise	2026-05-24 17:07:59 +02:00
Viktor Liu	5e2830be8a	Harden VNC server, IPC, and management plumbing	2026-05-24 16:02:36 +02:00
Viktor Liu	f557e665a5	Return error from gateApproval and log at the caller	2026-05-23 19:50:27 +02:00
Viktor Liu	fa57eedaf5	Address CodeRabbit review and fix CI on embedded-vnc	2026-05-23 19:44:21 +02:00
Viktor Liu	7cb6388349	Decline VNC approval early when no console user is logged in	2026-05-23 19:15:01 +02:00
Viktor Liu	1f912be673	Address codespell and Sonar findings on embedded-vnc	2026-05-23 19:06:02 +02:00
Viktor Liu	8d329da591	Evict orphaned packet captures and annotate VNC streams	2026-05-23 18:33:55 +02:00
Viktor Liu	8e72967bbe	Add per-connection user-approval prompts for VNC	2026-05-23 18:33:55 +02:00
Viktor Liu	c29ef638f4	Switch VNC daemon-to-agent IPC to Unix sockets and audit-log every connection	2026-05-22 15:32:35 +02:00
Viktor Liu	97b7b010f5	Fold init-only VNC and SSH setters into Config-struct constructors	2026-05-22 13:32:25 +02:00
Viktor Liu	030c57150f	Signal Zlib encode failure and fall back to Raw	2026-05-22 12:06:52 +02:00
Viktor Liu	0f03c612d1	Lower CreateTemporaryAccess complexity and emit VncAuth for session pubkeys	2026-05-22 12:01:18 +02:00
Viktor Liu	1cc5967198	Address follow-up CodeRabbit VNC findings	2026-05-22 11:35:16 +02:00
Viktor Liu	412193c602	Address CodeRabbit VNC review feedback	2026-05-21 18:09:07 +02:00
Viktor Liu	5e67febf57	Address Sonar findings and move noise to direct dependency	2026-05-21 17:55:27 +02:00
Viktor Liu	ee348ba007	Abort VNC agent dial retry loop on server shutdown	2026-05-21 17:44:22 +02:00
Viktor Liu	3d3055dc7f	Replace VNC JWT auth with a Noise_IK handshake bound to ACL-pushed pubkeys	2026-05-21 17:36:15 +02:00
Viktor Liu	2f4ddf0796	Emit explicit Fn flagsChanged transitions around macOS navigation keys	2026-05-21 12:30:14 +02:00
Viktor Liu	98d533c8e8	Address CodeRabbit feedback on VNC server agent matching and session lifecycle	2026-05-21 12:01:45 +02:00
Viktor Liu	ef4ea2e311	Set Fn flag on macOS navigation keycodes so the next key isn't treated as Fn-modified	2026-05-20 18:03:38 +02:00
Viktor Liu	b41d11bbbe	Allow Cursor pseudo-encoding in session mode and cache last XFixes sprite	2026-05-20 17:39:07 +02:00
Viktor Liu	f37e228cc2	Replace magic env-var and subcommand strings with named constants	2026-05-20 17:22:02 +02:00
Viktor Liu	640a267556	Address CodeRabbit feedback on VNC server	2026-05-20 17:16:55 +02:00
Viktor Liu	17359cdc1e	Fix VNC lint, 386 atomic alignment, and Sonar code smells	2026-05-20 16:34:29 +02:00
Viktor Liu	7e5846a1ee	Resolve merge conflicts with main	2026-05-20 15:38:01 +02:00
Viktor Liu	517bea0daf	Collapse X11 DISPLAY/XAUTHORITY auto-detect logs into one line	2026-05-20 15:36:26 +02:00
Viktor Liu	896530fd82	Add ExtendedMouseButtons for back/forward mouse buttons	2026-05-20 12:15:00 +02:00
Viktor Liu	354fd004c7	Enable IdP JWKS refresh in VNC JWT validator	2026-05-20 12:15:00 +02:00
Viktor Liu	c28e41e82b	Track macOS click count and pixel-scale wheel scroll	2026-05-20 12:14:53 +02:00
Viktor Liu	02b9fe704b	Use pixel-mode scroll on macOS for smoother wheel events	2026-05-20 12:14:45 +02:00
Viktor Liu	5e200fa571	Drop unreliable Sequoia preflight from macOS Screen Recording check	2026-05-20 12:14:37 +02:00
Viktor Liu	7d61975f6c	Proxy macOS VNC connections from the LaunchDaemon to a per-user agent via launchctl asuser	2026-05-20 12:12:20 +02:00
Viktor Liu	62b36112ea	Extract daemon-to-agent loopback proxy and token helpers into a platform-neutral file	2026-05-20 12:11:15 +02:00
Viktor Liu	df9a6fb020	Drop pbpaste trace log that fires whenever the macOS pasteboard is empty	2026-05-20 12:11:15 +02:00
Viktor Liu	b1b04f9ec6	Composite remote cursor into the framebuffer when the dashboard toggles it on	2026-05-20 12:11:15 +02:00
Viktor Liu	fe15688f20	Emit Cursor pseudo-encoding on Linux, Windows, and macOS	2026-05-20 12:11:15 +02:00
Viktor Liu	2285db2b62	Treat ExtendedClipboard messages with the Caps bit as Caps regardless of co-set action bits	2026-05-20 12:11:15 +02:00
Viktor Liu	b3f0f53a23	Collapse dirty rects to their bounding box when the bbox is densely dirty	2026-05-20 12:11:15 +02:00
Viktor Liu	5eec9962ba	Honour client JPEG quality fully now that backpressure caps it dynamically	2026-05-20 12:11:15 +02:00
Viktor Liu	393c102f45	Throttle VNC encoder JPEG quality and skip frames under write backpressure	2026-05-20 12:11:15 +02:00
Viktor Liu	b41fbad5e1	Surface DXGI fallback to GDI at warn level on Windows	2026-05-20 12:11:15 +02:00
Viktor Liu	24a5f2252c	Accept any RGB shift permutation as Tight-compatible per RFB 7.7.6	2026-05-20 12:11:15 +02:00
Viktor Liu	9d189bb3e8	Restore Hextile SolidFill and Zlib encoding paths	2026-05-20 12:11:15 +02:00
Maycon Santos	8e2505b59c	[management] Add metrics for peer status updates and ephemeral cleanup (#6196 ) * [management] Add metrics for peer status updates and ephemeral cleanup The session-fenced MarkPeerConnected / MarkPeerDisconnected path and the ephemeral peer cleanup loop both run silently today: when fencing rejects a stale stream, when a cleanup tick deletes peers, or when a batch delete fails, we have no operational signal beyond log lines. Add OpenTelemetry counters and a histogram so the same SLO-style dashboards that already exist for the network-map controller can cover peer connect/disconnect and ephemeral cleanup too. All new attributes are bounded enums: operation in {connect,disconnect} and outcome in {applied,stale,error,peer_not_found}. No account, peer, or user ID is ever written as a metric label — total cardinality is fixed at compile time (8 counter series, 2 histogram series, 4 unlabeled ephemeral series). Metric methods are nil-receiver safe so test composition that doesn't wire telemetry (the bulk of the existing tests) works unchanged. The ephemeral manager exposes a SetMetrics setter rather than taking the collector through its constructor, keeping the constructor signature stable across all test call sites. * [management] Add OpenTelemetry metrics for ephemeral peer cleanup Introduce counters for tracking ephemeral peer cleanup, including peers pending deletion, cleanup runs, successful deletions, and failed batches. Metrics are nil-receiver safe to ensure compatibility with test setups without telemetry.	2026-05-20 12:11:15 +02:00
Maycon Santos	97bc1eebde	[management] Fence peer status updates with a session token (#6193 ) * [management] Fence peer status updates with a session token The connect/disconnect path used a best-effort LastSeen-after-streamStart comparison to decide whether a status update should land. Under contention — a re-sync arriving while the previous stream's disconnect was still in flight, or two management replicas seeing the same peer at once — the check was a read-then-decide-then-write window: any UPDATE in between caused the wrong row to be written. The Go-side time.Now() that fed the comparison also drifted under lock contention, since it was captured seconds before the write actually committed. Replace it with an integer-nanosecond fencing token stored alongside the status. Every gRPC sync stream uses its open time (UnixNano) as its token. Connects only land when the incoming token is strictly greater than the stored one; disconnects only land when the incoming token equals the stored one (i.e. we're the stream that owns the current session). Both are single optimistic-locked UPDATEs — no read-then-write, no transaction wrapper. LastSeen is now written by the database itself (CURRENT_TIMESTAMP). The caller never supplies it, so the value always reflects the real moment of the UPDATE rather than the moment the caller queued the work — which was already off by minutes under heavy lock contention. Side effects (geo lookup, peer-login-expiration scheduling, network-map fan-out) are explicitly documented as running after the fence UPDATE commits, never inside it. Geo also skips the update when realIP equals the stored ConnectionIP, dropping a redundant SavePeerLocation call on same-IP reconnects. Tests cover the three semantic cases (matched disconnect lands, stale disconnect dropped, stale connect dropped) plus a 16-goroutine race test that asserts the highest token always wins. * [management] Add SessionStartedAt to peer status updates Stored `SessionStartedAt` for fencing token propagation across goroutines and updated database queries/functions to handle the new field. Removed outdated geolocation handling logic and adjusted tests for concurrency safety. * Rename `peer_status_required_approval` to `peer_status_requires_approval` in SQL store fields	2026-05-20 12:11:15 +02:00
Nicolas Frati	32a5a061b8	[management] fix: device redirect uri wasn't registered (#6191 ) * fix: device redirect uri wasn't registered * fix lint	2026-05-20 12:11:15 +02:00
Viktor Liu	d927ef468a	Clean up legacy 32-bit and HKCU registry entries on Windows install (#6176 )	2026-05-20 12:11:15 +02:00
Maycon Santos	d3f3e08035	Avoid context cancellation in `cancelPeerRoutines` (#6175 ) When closing go routines and handling peer disconnect, we should avoid canceling the flow due to parent gRPC context cancellation. This change triggers disconnection handling with a context that is not bound to the parent gRPC cancellation.	2026-05-20 12:11:15 +02:00
Viktor Liu	6bb66e0fad	[management] Avoid peer IP reallocation when account settings update preserves the network range (#6173 )	2026-05-20 12:11:15 +02:00
Viktor Liu	bc407527f4	Register VNC netstack service only when netstack is active	2026-05-18 14:50:10 +02:00
Viktor Liu	5543404188	Cap honored VNC client JPEG quality at 50	2026-05-18 14:50:10 +02:00
Viktor Liu	c2fdf62f1f	Detect dead VNC peers on both ends and report session stats	2026-05-18 14:50:10 +02:00
Viktor Liu	b9f5264e36	Restore createRDPProxy wasm entry point for dashboard RDP	2026-05-18 14:50:10 +02:00
Viktor Liu	97d0a6776f	Release sticky modifiers and mouse buttons on client disconnect	2026-05-18 08:55:27 +02:00
Viktor Liu	7e7e056f3a	Reset Tight zlib stream when deflater is recreated mid-session Also scrub brand-name references from comments.	2026-05-18 07:54:21 +02:00
Viktor Liu	785f94d13f	Guard buildExtClipProvideText against oversized input	2026-05-18 07:42:24 +02:00
Viktor Liu	bfb6750b13	Reset encoding capability flags on each SetEncodings	2026-05-18 07:41:42 +02:00
Viktor Liu	f5e1057127	Latin-1 round-trip for legacy CutText and soft-fail ext clipboard errors	2026-05-18 07:41:12 +02:00
Viktor Liu	ee393d0e62	Clamp Tight length to 22 bits and fall back to Raw on overflow	2026-05-17 21:27:13 +02:00
Viktor Liu	0b8fc5da59	Split session.go: encoder pipeline and clipboard handling into separate files	2026-05-17 17:32:01 +02:00
Viktor Liu	2d0a54f31a	Fix golangci-lint and Sonar: drop newZlibState, extract applyEncoding, inline stub comment	2026-05-17 17:16:10 +02:00
Viktor Liu	61ec8d67de	Honor QualityLevel and CompressLevel pseudo-encodings	2026-05-17 16:52:57 +02:00
Viktor Liu	76add0b9b2	Fix ExtendedClipboard auto-request by advertising all actions in Caps	2026-05-17 16:47:53 +02:00
Viktor Liu	a11341f57a	Add ExtendedClipboard pseudo-encoding for UTF-8 bidirectional clipboard	2026-05-17 16:34:14 +02:00
Viktor Liu	b135d462d6	Drop unused zlibState.scratch field	2026-05-17 16:33:48 +02:00
Viktor Liu	da37a28951	Exclude VNC server from js, ios, and android builds	2026-05-17 15:48:15 +02:00
Viktor Liu	4f884d9f30	Add QEMU Extended Key Event for layout-independent input	2026-05-17 15:48:15 +02:00
Viktor Liu	2bed8b641b	Lock pixel format to 32bpp little-endian truecolour and reject other formats	2026-05-17 15:48:15 +02:00
Viktor Liu	b4f696272a	Drop unused VNC DES auth path	2026-05-17 15:48:15 +02:00
Viktor Liu	6d937af7a0	Drop dead Hextile and standalone Zlib encoding paths	2026-05-17 15:48:15 +02:00
Viktor Liu	db5b6cfbb7	Add DesktopSize, DesktopName, LastRect pseudo-encodings with resize detection	2026-05-17 15:48:15 +02:00
Viktor Liu	e75948753a	Prompt for macOS Accessibility and Screen Recording at VNC enable time	2026-05-17 15:48:15 +02:00
Viktor Liu	047cc958b5	Throttle capture-failure log to once per 5s while capturer is down	2026-05-17 08:23:34 +02:00
Viktor Liu	cd005ef9a9	Add CopyRect detection and emission for tile-aligned moves	2026-05-17 08:13:52 +02:00
Viktor Liu	44ed0c1992	Drop xclip-no-selection trace log that fires every 2s on Xvfb	2026-05-17 08:13:46 +02:00
Viktor Liu	d6d3fa95c7	Drop unused getPeerFromResource helper	2026-05-17 06:48:46 +02:00
Viktor Liu	fa90283781	Extract wildcard user merge helper to satisfy case-clause length	2026-05-17 06:37:42 +02:00
Viktor Liu	8bf13b0d0c	Merge SSH wildcard authorized users across matching rules	2026-05-17 06:33:27 +02:00
Viktor Liu	a8541a1529	Apply posture and validated-peers filtering on ResourceTypePeer policy resolution	2026-05-17 06:33:23 +02:00
Viktor Liu	94068d3ebc	Drop -ac from Xvfb/Xorg invocations to keep xhost localuser grant authoritative	2026-05-17 06:32:50 +02:00
Viktor Liu	738c585ee7	Guard VNC session negotiated encoding state with RWMutex	2026-05-17 06:32:31 +02:00
Viktor Liu	9b5541d17d	Extract session-address anonymization helper to lower status complexity	2026-05-16 22:11:28 +02:00
Viktor Liu	7123e6d1f4	Fix Windows lint errcheck/unused and Linux nilerr in console VNC fallback	2026-05-16 17:23:36 +02:00
Viktor Liu	62cf9e873b	Track active VNC sessions in status and address CodeRabbit findings	2026-05-16 17:06:19 +02:00
Viktor Liu	9f0aa1ce26	Add embedded VNC server with JWT auth and per-peer toggle	2026-05-16 16:49:14 +02:00