[management] pass meta update for browser clients (#6465)

* Migrate to profile ids

* Migrate android profile manager

* Clean up

* Fix review

* Add ID type

* Fix test and runes in ShortID()

* Fix profile switch on up and android comments

* Revert android profile to string id

* Fix feedback

* Fix UI feedback

* Fix id assignment

* Add renaming of profiles

* Fix review

* Remove ui binary
* Fix getProfileConfigPath not validating id

* Change resolve handle order and fix server merge problems

* Fix mdm test

.github/workflows/golangci-lint.yml

@@ -37,7 +37,7 @@ jobs:
             display_name: Linux
     name: ${{ matrix.display_name }}
     runs-on: ${{ matrix.os }}
-    timeout-minutes: 25
+    timeout-minutes: 15
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -62,4 +62,4 @@ jobs:
           skip-cache: true
           skip-save-cache: true
           cache-invalidation-interval: 0
-          args: --timeout=20m
+          args: --timeout=12m

.github/workflows/release.yml

@@ -9,10 +9,13 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.1.5"
-  GORELEASER_VER: "v2.14.3"
+  SIGN_PIPE_VER: "v0.1.6"
+  GORELEASER_VER: "v2.16.0"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"
+  flags: ""
+  SKIP_PUBLISH: "true"
+  SKIP_DOCKER_PUSH: "false"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -130,8 +133,6 @@ jobs:
       windows_packages_artifact_url: ${{ steps.upload_windows_packages.outputs.artifact-url }}
       macos_packages_artifact_url: ${{ steps.upload_macos_packages.outputs.artifact-url }}
       ghcr_images: ${{ steps.tag_and_push_images.outputs.images_markdown }}
-    env:
-      flags: ""
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -143,8 +144,27 @@ jobs:
         id: semver_parser
         uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
 
-      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
-        run: echo "flags=--snapshot" >> $GITHUB_ENV
+      - name: Set snapshot flag
+        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+        run: | 
+          echo "flags=--snapshot" >> $GITHUB_ENV
+
+      - name: Set build vars
+        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+        run: |
+          if [[ "x-${{ steps.semver_parser.outputs.prerelease }}" == "x-" && "x-${{ github.repository }}" == "x-netbirdio/netbird" ]]; then
+            echo "x-${{ github.repository }}" 
+            echo "x-${{ steps.semver_parser.outputs.prerelease }}"
+            echo "SKIP_PUBLISH=false" >> $GITHUB_ENV
+          else
+            echo "x-${{ github.repository }}" 
+            echo "x-${{ steps.semver_parser.outputs.prerelease }}"
+          fi
+          
+          if [[ "x-${{ github.repository }}" != "x-netbirdio/netbird" ]]; then
+            echo "SKIP_DOCKER_PUSH=true" >> $GITHUB_ENV
+          fi
+
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
@@ -212,6 +232,8 @@ jobs:
           UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
           GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
           NFPM_NETBIRD_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
+          SKIP_PUBLISH: ${{ env.SKIP_PUBLISH }}
+          SKIP_DOCKER_PUSH: ${{ env.SKIP_DOCKER_PUSH }}
       - name: Verify RPM signatures
         run: |
           docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
@@ -334,8 +356,22 @@ jobs:
         id: semver_parser
         uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
 
-      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
-        run: echo "flags=--snapshot" >> $GITHUB_ENV
+      - name: Set snapshot flag
+        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+        run: |
+          echo "flags=--snapshot" >> $GITHUB_ENV
+
+      - name: Set build vars
+        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+        run: |
+          if [[ "x-${{ steps.semver_parser.outputs.prerelease }}" == "x-" && "x-${{ github.repository }}" == "x-netbirdio/netbird" ]]; then
+            echo "x-${{ github.repository }}" 
+            echo "x-${{ steps.semver_parser.outputs.prerelease }}"
+            echo "SKIP_PUBLISH=false" >> $GITHUB_ENV
+          else
+            echo "x-${{ github.repository }}" 
+            echo "x-${{ steps.semver_parser.outputs.prerelease }}"
+          fi
 
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
@@ -395,6 +431,7 @@ jobs:
           UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
           GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
           NFPM_NETBIRD_UI_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
+          SKIP_PUBLISH: ${{ env.SKIP_PUBLISH }}
       - name: Verify RPM signatures
         run: |
           docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '

.goreleaser.yaml

@@ -1,5 +1,7 @@
 version: 2
-
+env:
+  - SKIP_PUBLISH={{ if index .Env "SKIP_PUBLISH" }}{{ .Env.SKIP_PUBLISH }}{{ else }}true{{ end }}
+  - SKIP_DOCKER_PUSH={{ if index .Env "SKIP_DOCKER_PUSH" }}{{ .Env.SKIP_DOCKER_PUSH }}{{ else }}false{{ end }}
 project_name: netbird
 builds:
   - id: netbird-wasm
@@ -74,6 +76,8 @@ builds:
       - amd64
       - arm64
       - arm
+    goarm:
+      - 7
     ldflags:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -88,6 +92,8 @@ builds:
       - amd64
       - arm64
       - arm
+    goarm:
+      - 7
     ldflags:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -102,6 +108,8 @@ builds:
       - amd64
       - arm64
       - arm
+    goarm:
+      - 7
     ldflags:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -122,6 +130,8 @@ builds:
       - amd64
       - arm64
       - arm
+    goarm:
+      - 7
     ldflags:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -136,6 +146,8 @@ builds:
       - amd64
       - arm64
       - arm
+    goarm:
+      - 7
     ldflags:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -150,6 +162,8 @@ builds:
       - amd64
       - arm64
       - arm
+    goarm:
+      - 7
     ldflags:
       - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -170,6 +184,8 @@ builds:
       - amd64
       - arm64
       - arm
+    goarm:
+      - 7
     ldflags:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -222,670 +238,192 @@ nfpms:
     rpm:
       signature:
         key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'
-dockers:
-  - image_templates:
-      - netbirdio/netbird:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
-    ids:
-      - netbird
-    goarch: amd64
-    use: buildx
-    dockerfile: client/Dockerfile
-    extra_files:
-      - client/netbird-entrypoint.sh
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
-    ids:
-      - netbird
-    goarch: arm64
-    use: buildx
-    dockerfile: client/Dockerfile
-    extra_files:
-      - client/netbird-entrypoint.sh
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
-    ids:
-      - netbird
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: client/Dockerfile
-    extra_files:
-      - client/netbird-entrypoint.sh
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-
-  - image_templates:
-      - netbirdio/netbird:{{ .Version }}-rootless-amd64
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
-    ids:
-      - netbird
-    goarch: amd64
-    use: buildx
-    dockerfile: client/Dockerfile-rootless
-    extra_files:
-      - client/netbird-entrypoint.sh
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-    ids:
-      - netbird
-    goarch: arm64
-    use: buildx
-    dockerfile: client/Dockerfile-rootless
-    extra_files:
-      - client/netbird-entrypoint.sh
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird:{{ .Version }}-rootless-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
-    ids:
-      - netbird
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: client/Dockerfile-rootless
-    extra_files:
-      - client/netbird-entrypoint.sh
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-
-  - image_templates:
-      - netbirdio/relay:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
-    ids:
-      - netbird-relay
-    goarch: amd64
-    use: buildx
-    dockerfile: relay/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/relay:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
-    ids:
-      - netbird-relay
-    goarch: arm64
-    use: buildx
-    dockerfile: relay/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/relay:{{ .Version }}-arm
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
-    ids:
-      - netbird-relay
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: relay/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/signal:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
-    ids:
-      - netbird-signal
-    goarch: amd64
-    use: buildx
-    dockerfile: signal/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/signal:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
-    ids:
-      - netbird-signal
-    goarch: arm64
-    use: buildx
-    dockerfile: signal/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/signal:{{ .Version }}-arm
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
-    ids:
-      - netbird-signal
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: signal/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/management:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
-    ids:
-      - netbird-mgmt
-    goarch: amd64
-    use: buildx
-    dockerfile: management/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/management:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
-    ids:
-      - netbird-mgmt
-    goarch: arm64
-    use: buildx
-    dockerfile: management/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/management:{{ .Version }}-arm
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm
-    ids:
-      - netbird-mgmt
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: management/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/management:{{ .Version }}-debug-amd64
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-amd64
-    ids:
-      - netbird-mgmt
-    goarch: amd64
-    use: buildx
-    dockerfile: management/Dockerfile.debug
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/management:{{ .Version }}-debug-arm64v8
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm64v8
-    ids:
-      - netbird-mgmt
-    goarch: arm64
-    use: buildx
-    dockerfile: management/Dockerfile.debug
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-
-  - image_templates:
-      - netbirdio/management:{{ .Version }}-debug-arm
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm
-    ids:
-      - netbird-mgmt
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: management/Dockerfile.debug
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/upload:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
-    ids:
-      - netbird-upload
-    goarch: amd64
-    use: buildx
-    dockerfile: upload-server/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/upload:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
-    ids:
-      - netbird-upload
-    goarch: arm64
-    use: buildx
-    dockerfile: upload-server/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/upload:{{ .Version }}-arm
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
-    ids:
-      - netbird-upload
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: upload-server/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-    ids:
-      - netbird-server
-    goarch: amd64
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-    ids:
-      - netbird-server
-    goarch: arm64
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-    ids:
-      - netbird-server
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-    ids:
-      - netbird-proxy
-    goarch: amd64
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-    ids:
-      - netbird-proxy
-    goarch: arm64
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-    ids:
-      - netbird-proxy
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-docker_manifests:
-  - name_template: netbirdio/netbird:{{ .Version }}
-    image_templates:
-      - netbirdio/netbird:{{ .Version }}-arm64v8
-      - netbirdio/netbird:{{ .Version }}-arm
-      - netbirdio/netbird:{{ .Version }}-amd64
-
-  - name_template: netbirdio/netbird:latest
-    image_templates:
-      - netbirdio/netbird:{{ .Version }}-arm64v8
-      - netbirdio/netbird:{{ .Version }}-arm
-      - netbirdio/netbird:{{ .Version }}-amd64
-
-  - name_template: netbirdio/netbird:{{ .Version }}-rootless
-    image_templates:
-      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-      - netbirdio/netbird:{{ .Version }}-rootless-arm
-      - netbirdio/netbird:{{ .Version }}-rootless-amd64
-
-  - name_template: netbirdio/netbird:rootless-latest
-    image_templates:
-      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-      - netbirdio/netbird:{{ .Version }}-rootless-arm
-      - netbirdio/netbird:{{ .Version }}-rootless-amd64
-
-  - name_template: netbirdio/relay:{{ .Version }}
-    image_templates:
-      - netbirdio/relay:{{ .Version }}-arm64v8
-      - netbirdio/relay:{{ .Version }}-arm
-      - netbirdio/relay:{{ .Version }}-amd64
-
-  - name_template: netbirdio/relay:latest
-    image_templates:
-      - netbirdio/relay:{{ .Version }}-arm64v8
-      - netbirdio/relay:{{ .Version }}-arm
-      - netbirdio/relay:{{ .Version }}-amd64
-
-  - name_template: netbirdio/signal:{{ .Version }}
-    image_templates:
-      - netbirdio/signal:{{ .Version }}-arm64v8
-      - netbirdio/signal:{{ .Version }}-arm
-      - netbirdio/signal:{{ .Version }}-amd64
-
-  - name_template: netbirdio/signal:latest
-    image_templates:
-      - netbirdio/signal:{{ .Version }}-arm64v8
-      - netbirdio/signal:{{ .Version }}-arm
-      - netbirdio/signal:{{ .Version }}-amd64
-
-  - name_template: netbirdio/management:{{ .Version }}
-    image_templates:
-      - netbirdio/management:{{ .Version }}-arm64v8
-      - netbirdio/management:{{ .Version }}-arm
-      - netbirdio/management:{{ .Version }}-amd64
-
-  - name_template: netbirdio/management:latest
-    image_templates:
-      - netbirdio/management:{{ .Version }}-arm64v8
-      - netbirdio/management:{{ .Version }}-arm
-      - netbirdio/management:{{ .Version }}-amd64
-
-  - name_template: netbirdio/management:debug-latest
-    image_templates:
-      - netbirdio/management:{{ .Version }}-debug-arm64v8
-      - netbirdio/management:{{ .Version }}-debug-arm
-      - netbirdio/management:{{ .Version }}-debug-amd64
-  - name_template: netbirdio/upload:{{ .Version }}
-    image_templates:
-      - netbirdio/upload:{{ .Version }}-arm64v8
-      - netbirdio/upload:{{ .Version }}-arm
-      - netbirdio/upload:{{ .Version }}-amd64
-
-  - name_template: netbirdio/upload:latest
-    image_templates:
-      - netbirdio/upload:{{ .Version }}-arm64v8
-      - netbirdio/upload:{{ .Version }}-arm
-      - netbirdio/upload:{{ .Version }}-amd64
-
-  - name_template: netbirdio/netbird-server:{{ .Version }}
-    image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: netbirdio/netbird-server:latest
-    image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird:latest
-    image_templates:
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}-rootless
-    image_templates:
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird:rootless-latest
-    image_templates:
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
-
-  - name_template: ghcr.io/netbirdio/relay:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
-      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/relay:latest
-    image_templates:
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
-      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/signal:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
-      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/signal:latest
-    image_templates:
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
-      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/management:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm
-      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/management:latest
-    image_templates:
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm
-      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/management:debug-latest
-    image_templates:
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm64v8
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-amd64
-
-  - name_template: ghcr.io/netbirdio/upload:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
-      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/upload:latest
-    image_templates:
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
-      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird-server:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird-server:latest
-    image_templates:
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: netbirdio/reverse-proxy:{{ .Version }}
-    image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: netbirdio/reverse-proxy:latest
-    image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/reverse-proxy:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/reverse-proxy:latest
-    image_templates:
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
+dockers_v2:
+   - id: netbird
+     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
+     ids:
+       - netbird
+     images:
+       - netbirdio/netbird
+       - ghcr.io/netbirdio/netbird
+     tags:
+       - "v{{ .Version }}"
+       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
+     dockerfile: client/Dockerfile
+     extra_files:
+       - client/netbird-entrypoint.sh
+     platforms:
+       - linux/amd64
+       - linux/arm64
+       - linux/arm/6
+     annotations:
+       "org.opencontainers.image.created": "{{.Date}}"
+       "org.opencontainers.image.title": "{{.ProjectName}}"
+       "org.opencontainers.image.version": "{{.Version}}"
+       "org.opencontainers.image.revision": "{{.FullCommit}}"
+       "org.opencontainers.image.source": "{{.GitURL}}"
+       "maintainer": "dev@netbird.io"
+   - id: netbird-rootless
+     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
+     ids:
+       - netbird
+     images:
+       - netbirdio/netbird
+       - ghcr.io/netbirdio/netbird
+     tags:
+       - "v{{ .Version }}-rootless"
+       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
+     dockerfile: client/Dockerfile-rootless
+     extra_files:
+       - client/netbird-entrypoint.sh
+     platforms:
+       - linux/amd64
+       - linux/arm64
+       - linux/arm/6
+     annotations:
+       "org.opencontainers.image.created": "{{.Date}}"
+       "org.opencontainers.image.title": "{{.ProjectName}}"
+       "org.opencontainers.image.version": "{{.Version}}"
+       "org.opencontainers.image.revision": "{{.FullCommit}}"
+       "org.opencontainers.image.source": "{{.GitURL}}"
+       "maintainer": "dev@netbird.io"
+   - id: relay
+     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
+     ids:
+       - netbird-relay
+     images:
+       - netbirdio/relay
+       - ghcr.io/netbirdio/relay
+     tags:
+       - "v{{ .Version }}"
+       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
+     dockerfile: relay/Dockerfile
+     platforms:
+       - linux/amd64
+       - linux/arm64
+       - linux/arm
+     annotations:
+       "org.opencontainers.image.created": "{{.Date}}"
+       "org.opencontainers.image.title": "{{.ProjectName}}"
+       "org.opencontainers.image.version": "{{.Version}}"
+       "org.opencontainers.image.revision": "{{.FullCommit}}"
+       "org.opencontainers.image.source": "{{.GitURL}}"
+       "maintainer": "dev@netbird.io"
+   - id: signal
+     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
+     ids:
+       - netbird-signal
+     images:
+       - netbirdio/signal
+       - ghcr.io/netbirdio/signal
+     tags:
+       - "v{{ .Version }}"
+       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
+     dockerfile: signal/Dockerfile
+     platforms:
+       - linux/amd64
+       - linux/arm64
+       - linux/arm
+     annotations:
+       "org.opencontainers.image.created": "{{.Date}}"
+       "org.opencontainers.image.title": "{{.ProjectName}}"
+       "org.opencontainers.image.version": "{{.Version}}"
+       "org.opencontainers.image.revision": "{{.FullCommit}}"
+       "org.opencontainers.image.source": "{{.GitURL}}"
+       "maintainer": "dev@netbird.io"
+   - id: management
+     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
+     ids:
+       - netbird-mgmt
+     images:
+       - netbirdio/management
+       - ghcr.io/netbirdio/management
+     tags:
+       - "v{{ .Version }}"
+       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
+     dockerfile: management/Dockerfile
+     platforms:
+       - linux/amd64
+       - linux/arm64
+       - linux/arm
+     annotations:
+       "org.opencontainers.image.created": "{{.Date}}"
+       "org.opencontainers.image.title": "{{.ProjectName}}"
+       "org.opencontainers.image.version": "{{.Version}}"
+       "org.opencontainers.image.revision": "{{.FullCommit}}"
+       "org.opencontainers.image.source": "{{.GitURL}}"
+       "maintainer": "dev@netbird.io"
+   - id: upload
+     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
+     ids:
+       - netbird-upload
+     images:
+       - netbirdio/upload
+       - ghcr.io/netbirdio/upload
+     tags:
+       - "v{{ .Version }}"
+       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
+     dockerfile: upload-server/Dockerfile
+     platforms:
+       - linux/amd64
+       - linux/arm64
+       - linux/arm
+     annotations:
+       "org.opencontainers.image.created": "{{.Date}}"
+       "org.opencontainers.image.title": "{{.ProjectName}}"
+       "org.opencontainers.image.version": "{{.Version}}"
+       "org.opencontainers.image.revision": "{{.FullCommit}}"
+       "org.opencontainers.image.source": "{{.GitURL}}"
+       "maintainer": "dev@netbird.io"
+   - id: netbird-server
+     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
+     ids:
+       - netbird-server
+     images:
+       - netbirdio/netbird-server
+       - ghcr.io/netbirdio/netbird-server
+     tags:
+       - "v{{ .Version }}"
+       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
+     dockerfile: combined/Dockerfile
+     platforms:
+       - linux/amd64
+       - linux/arm64
+       - linux/arm
+     annotations:
+       "org.opencontainers.image.created": "{{.Date}}"
+       "org.opencontainers.image.title": "{{.ProjectName}}"
+       "org.opencontainers.image.version": "{{.Version}}"
+       "org.opencontainers.image.revision": "{{.FullCommit}}"
+       "org.opencontainers.image.source": "{{.GitURL}}"
+       "maintainer": "dev@netbird.io"
+   - id: netbird-proxy
+     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
+     ids:
+       - netbird-proxy
+     images:
+       - netbirdio/reverse-proxy
+       - ghcr.io/netbirdio/reverse-proxy
+     tags:
+       - "v{{ .Version }}"
+       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
+     dockerfile: proxy/Dockerfile
+     platforms:
+       - linux/amd64
+       - linux/arm64
+       - linux/arm
+     annotations:
+       "org.opencontainers.image.created": "{{.Date}}"
+       "org.opencontainers.image.title": "{{.ProjectName}}"
+       "org.opencontainers.image.version": "{{.Version}}"
+       "org.opencontainers.image.revision": "{{.FullCommit}}"
+       "org.opencontainers.image.source": "{{.GitURL}}"
+       "maintainer": "dev@netbird.io"
 
 brews:
   - ids:
       - default
+    skip_upload: "{{ .Env.SKIP_PUBLISH }}"
     repository:
       owner: netbirdio
       name: homebrew-tap
@@ -902,6 +440,7 @@ brews:
 
 uploads:
   - name: debian
+    skip: "{{ .Env.SKIP_PUBLISH }}"
     ids:
       - netbird_deb
     mode: archive
@@ -910,6 +449,7 @@ uploads:
     method: PUT
 
   - name: yum
+    skip: "{{ .Env.SKIP_PUBLISH }}"
     ids:
       - netbird_rpm
     mode: archive

.goreleaser_ui.yaml

@@ -1,5 +1,6 @@
 version: 2
-
+env:
+  - SKIP_PUBLISH={{ if index .Env "SKIP_PUBLISH" }}{{ .Env.SKIP_PUBLISH }}{{ else }}true{{ end }}
 project_name: netbird-ui
 builds:
   - id: netbird-ui
@@ -101,6 +102,7 @@ nfpms:
 
 uploads:
   - name: debian
+    skip: "{{ .Env.SKIP_PUBLISH }}"
     ids:
       - netbird_ui_deb
     mode: archive
@@ -109,6 +111,7 @@ uploads:
     method: PUT
 
   - name: yum
+    skip: "{{ .Env.SKIP_PUBLISH }}"
     ids:
       - netbird_ui_rpm
     mode: archive

client/Dockerfile

@@ -4,7 +4,7 @@
 #   sudo podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   sudo podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest
 
-FROM alpine:3.23.3
+FROM alpine:3.24
 # iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache \
     bash \
@@ -21,7 +21,7 @@ ENV \
     NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
 
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
-
-ARG NETBIRD_BINARY=netbird
+ARG TARGETPLATFORM
+ARG NETBIRD_BINARY=$TARGETPLATFORM/netbird
 COPY client/netbird-entrypoint.sh /usr/local/bin/netbird-entrypoint.sh
 COPY "${NETBIRD_BINARY}"  /usr/local/bin/netbird

client/Dockerfile-rootless

@@ -4,7 +4,7 @@
 #   podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest
 
-FROM alpine:3.22.0
+FROM alpine:3.24
 
 RUN apk add --no-cache \
       bash \
@@ -27,7 +27,7 @@ ENV \
     NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
 
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
-
-ARG NETBIRD_BINARY=netbird
+ARG TARGETPLATFORM
+ARG NETBIRD_BINARY=$TARGETPLATFORM/netbird
 COPY client/netbird-entrypoint.sh /usr/local/bin/netbird-entrypoint.sh
 COPY "${NETBIRD_BINARY}"  /usr/local/bin/netbird

client/android/profile_manager.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"strings"
 
 	log "github.com/sirupsen/logrus"
 
@@ -24,6 +23,7 @@ const (
 
 // Profile represents a profile for gomobile
 type Profile struct {
+	ID       string
 	Name     string
 	IsActive bool
 }
@@ -53,10 +53,10 @@ func (p *ProfileArray) Get(i int) *Profile {
 ├── state.json                                  ← Default profile state
 ├── active_profile.json                         ← Active profile tracker (JSON with Name + Username)
 └── profiles/                                   ← Subdirectory for non-default profiles
-    ├── work.json                              ← Work profile config
-    ├── work.state.json                        ← Work profile state
-    ├── personal.json                          ← Personal profile config
-    └── personal.state.json                    ← Personal profile state
+    ├── work.json                              			← Legacy work profile config
+    ├── work.state.json                        			← Legacy work profile state
+    ├── 4c5f5c8198c3989cffb5b5394f5a7ae0.json  			← ID profile config
+    ├── 4c5f5c8198c3989cffb5b5394f5a7ae0.state.json ← ID profile state
 */
 
 // ProfileManager manages profiles for Android
@@ -99,6 +99,7 @@ func (pm *ProfileManager) ListProfiles() (*ProfileArray, error) {
 	var profiles []*Profile
 	for _, p := range internalProfiles {
 		profiles = append(profiles, &Profile{
+			ID:       p.ID.String(),
 			Name:     p.Name,
 			IsActive: p.IsActive,
 		})
@@ -108,55 +109,65 @@ func (pm *ProfileManager) ListProfiles() (*ProfileArray, error) {
 }
 
 // GetActiveProfile returns the currently active profile name
-func (pm *ProfileManager) GetActiveProfile() (string, error) {
+func (pm *ProfileManager) GetActiveProfile() (*Profile, error) {
 	// Use ServiceManager to stay consistent with ListProfiles
 	// ServiceManager uses active_profile.json
 	activeState, err := pm.serviceMgr.GetActiveProfileState()
 	if err != nil {
-		return "", fmt.Errorf("failed to get active profile: %w", err)
+		return nil, fmt.Errorf("failed to get active profile: %w", err)
 	}
-	return activeState.Name, nil
+
+	// ActiveProfileState only stores the ID (and username), not the display
+	// name. Resolve the ID to the full profile so callers get the real Name.
+	prof, err := pm.serviceMgr.ResolveProfile(activeState.ID.String(), androidUsername)
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve active profile %q: %w", activeState.ID, err)
+	}
+	return &Profile{ID: prof.ID.String(), Name: prof.Name, IsActive: true}, nil
 }
 
 // SwitchProfile switches to a different profile
-func (pm *ProfileManager) SwitchProfile(profileName string) error {
+func (pm *ProfileManager) SwitchProfile(id string) error {
 	// Use ServiceManager to stay consistent with ListProfiles
 	// ServiceManager uses active_profile.json
 	err := pm.serviceMgr.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		Name:     profileName,
+		ID:       profilemanager.ID(id),
 		Username: androidUsername,
 	})
 	if err != nil {
 		return fmt.Errorf("failed to switch profile: %w", err)
 	}
 
-	log.Infof("switched to profile: %s", profileName)
+	log.Infof("switched to profile: %s", id)
 	return nil
 }
 
 // AddProfile creates a new profile
 func (pm *ProfileManager) AddProfile(profileName string) error {
 	// Use ServiceManager (creates profile in profiles/ directory)
-	if err := pm.serviceMgr.AddProfile(profileName, androidUsername); err != nil {
+	profile, err := pm.serviceMgr.AddProfile(profileName, androidUsername)
+	if err != nil {
 		return fmt.Errorf("failed to add profile: %w", err)
 	}
 
-	log.Infof("created new profile: %s", profileName)
+	log.Infof("created new profile: %s", profile.ID)
 	return nil
 }
 
 // LogoutProfile logs out from a profile (clears authentication)
-func (pm *ProfileManager) LogoutProfile(profileName string) error {
-	profileName = sanitizeProfileName(profileName)
-
-	configPath, err := pm.getProfileConfigPath(profileName)
+func (pm *ProfileManager) LogoutProfile(id string) error {
+	configPath, err := pm.getProfileConfigPath(id)
 	if err != nil {
 		return err
 	}
 
+	if !profilemanager.IsValidProfileFilenameStem(profilemanager.ID(id)) {
+		return fmt.Errorf("id '%s' is not valid", id)
+	}
+
 	// Check if profile exists
 	if _, err := os.Stat(configPath); os.IsNotExist(err) {
-		return fmt.Errorf("profile '%s' does not exist", profileName)
+		return fmt.Errorf("profile '%s' does not exist", id)
 	}
 
 	// Read current config using internal profilemanager
@@ -174,53 +185,57 @@ func (pm *ProfileManager) LogoutProfile(profileName string) error {
 		return fmt.Errorf("failed to save config: %w", err)
 	}
 
-	log.Infof("logged out from profile: %s", profileName)
+	log.Infof("logged out from profile: %s", id)
 	return nil
 }
 
 // RemoveProfile deletes a profile
-func (pm *ProfileManager) RemoveProfile(profileName string) error {
+func (pm *ProfileManager) RemoveProfile(id string) error {
 	// Use ServiceManager (removes profile from profiles/ directory)
-	if err := pm.serviceMgr.RemoveProfile(profileName, androidUsername); err != nil {
+	if err := pm.serviceMgr.RemoveProfile(profilemanager.ID(id), androidUsername); err != nil {
 		return fmt.Errorf("failed to remove profile: %w", err)
 	}
 
-	log.Infof("removed profile: %s", profileName)
+	log.Infof("removed profile: %s", id)
 	return nil
 }
 
 // getProfileConfigPath returns the config file path for a profile
 // This is needed for Android-specific path handling (netbird.cfg for default profile)
-func (pm *ProfileManager) getProfileConfigPath(profileName string) (string, error) {
-	if profileName == "" || profileName == profilemanager.DefaultProfileName {
+func (pm *ProfileManager) getProfileConfigPath(id string) (string, error) {
+	if !profilemanager.IsValidProfileFilenameStem(profilemanager.ID(id)) {
+		return "", fmt.Errorf("id %q is not valid", id)
+	}
+
+	if id == profilemanager.DefaultProfileName {
 		// Android uses netbird.cfg for default profile instead of default.json
 		// Default profile is stored in root configDir, not in profiles/
 		return filepath.Join(pm.configDir, defaultConfigFilename), nil
 	}
 
-	// Non-default profiles are stored in profiles subdirectory
-	// This matches the Java Preferences.java expectation
-	profileName = sanitizeProfileName(profileName)
 	profilesDir := filepath.Join(pm.configDir, profilesSubdir)
-	return filepath.Join(profilesDir, profileName+".json"), nil
+	return filepath.Join(profilesDir, id+".json"), nil
 }
 
-// GetConfigPath returns the config file path for a given profile
+// GetConfigPath returns the config file path for a given profile id
 // Java should call this instead of constructing paths with Preferences.configFile()
-func (pm *ProfileManager) GetConfigPath(profileName string) (string, error) {
-	return pm.getProfileConfigPath(profileName)
+func (pm *ProfileManager) GetConfigPath(id string) (string, error) {
+	return pm.getProfileConfigPath(id)
 }
 
 // GetStateFilePath returns the state file path for a given profile
 // Java should call this instead of constructing paths with Preferences.stateFile()
-func (pm *ProfileManager) GetStateFilePath(profileName string) (string, error) {
-	if profileName == "" || profileName == profilemanager.DefaultProfileName {
+func (pm *ProfileManager) GetStateFilePath(id string) (string, error) {
+	if id == "" || id == profilemanager.DefaultProfileName {
 		return filepath.Join(pm.configDir, "state.json"), nil
 	}
 
-	profileName = sanitizeProfileName(profileName)
+	if !profilemanager.IsValidProfileFilenameStem(profilemanager.ID(id)) {
+		return "", fmt.Errorf("id %q is not valid", id)
+	}
+
 	profilesDir := filepath.Join(pm.configDir, profilesSubdir)
-	return filepath.Join(profilesDir, profileName+".state.json"), nil
+	return filepath.Join(profilesDir, id+".state.json"), nil
 }
 
 // GetActiveConfigPath returns the config file path for the currently active profile
@@ -230,7 +245,7 @@ func (pm *ProfileManager) GetActiveConfigPath() (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("failed to get active profile: %w", err)
 	}
-	return pm.GetConfigPath(activeProfile)
+	return pm.GetConfigPath(activeProfile.ID)
 }
 
 // GetActiveStateFilePath returns the state file path for the currently active profile
@@ -240,18 +255,5 @@ func (pm *ProfileManager) GetActiveStateFilePath() (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("failed to get active profile: %w", err)
 	}
-	return pm.GetStateFilePath(activeProfile)
-}
-
-// sanitizeProfileName removes invalid characters from profile name
-func sanitizeProfileName(name string) string {
-	// Keep only alphanumeric, underscore, and hyphen
-	var result strings.Builder
-	for _, r := range name {
-		if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') ||
-			(r >= '0' && r <= '9') || r == '_' || r == '-' {
-			result.WriteRune(r)
-		}
-	}
-	return result.String()
+	return pm.GetStateFilePath(activeProfile.ID)
 }

client/cmd/login.go

@@ -96,17 +96,19 @@ func doDaemonLogin(ctx context.Context, cmd *cobra.Command, providedSetupKey str
 		dnsLabelsReq = dnsLabelsValidated.ToSafeStringList()
 	}
 
+	handle := activeProf.ID.String()
+
 	loginRequest := proto.LoginRequest{
 		SetupKey:            providedSetupKey,
 		ManagementUrl:       managementURL,
 		IsUnixDesktopClient: isUnixRunningDesktop(),
 		Hostname:            hostName,
 		DnsLabels:           dnsLabelsReq,
-		ProfileName:         &activeProf.Name,
+		ProfileName:         &handle,
 		Username:            &username,
 	}
 
-	profileState, err := pm.GetProfileState(activeProf.Name)
+	profileState, err := pm.GetProfileState(activeProf.ID)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
@@ -170,14 +172,13 @@ func getActiveProfile(ctx context.Context, pm *profilemanager.ProfileManager, pr
 	return activeProf, nil
 }
 
-func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManager, profileName string, username string) error {
-	err := switchProfile(context.Background(), profileName, username)
+func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManager, handle string, username string) error {
+	resolvedID, err := switchProfile(ctx, handle, username)
 	if err != nil {
 		return fmt.Errorf("switch profile on daemon: %v", err)
 	}
 
-	err = pm.SwitchProfile(profileName)
-	if err != nil {
+	if err := pm.SwitchProfile(resolvedID); err != nil {
 		return fmt.Errorf("switch profile: %v", err)
 	}
 
@@ -205,11 +206,15 @@ func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManage
 	return nil
 }
 
-func switchProfile(ctx context.Context, profileName string, username string) error {
+// switchProfile asks the daemon to switch to the profile identified by
+// handle (a name, ID, or unique ID prefix). Returns the resolved profile
+// ID so the caller can update the local active-profile state without
+// re-resolving the handle.
+func switchProfile(ctx context.Context, handle string, username string) (profilemanager.ID, error) {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		//nolint
-		return fmt.Errorf("failed to connect to daemon error: %v\n"+
+		return "", fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
 	}
@@ -217,15 +222,15 @@ func switchProfile(ctx context.Context, profileName string, username string) err
 
 	client := proto.NewDaemonServiceClient(conn)
 
-	_, err = client.SwitchProfile(ctx, &proto.SwitchProfileRequest{
-		ProfileName: &profileName,
+	resp, err := client.SwitchProfile(ctx, &proto.SwitchProfileRequest{
+		ProfileName: &handle,
 		Username:    &username,
 	})
 	if err != nil {
-		return fmt.Errorf("switch profile failed: %v", err)
+		return "", fmt.Errorf("switch profile failed: %v", err)
 	}
 
-	return nil
+	return profilemanager.ID(resp.Id), nil
 }
 
 func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string, activeProf *profilemanager.Profile) error {
@@ -249,7 +254,7 @@ func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string,
 		return fmt.Errorf("read config file %s: %v", configFilePath, err)
 	}
 
-	err = foregroundLogin(ctx, cmd, config, setupKey, activeProf.Name)
+	err = foregroundLogin(ctx, cmd, config, setupKey, activeProf.ID)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -277,7 +282,7 @@ func handleSSOLogin(ctx context.Context, cmd *cobra.Command, loginResp *proto.Lo
 	return nil
 }
 
-func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey, profileName string) error {
+func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey string, profileID profilemanager.ID) error {
 	authClient, err := auth.NewAuth(ctx, config.PrivateKey, config.ManagementURL, config)
 	if err != nil {
 		return fmt.Errorf("failed to create auth client: %v", err)
@@ -291,7 +296,7 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 
 	jwtToken := ""
 	if setupKey == "" && needsLogin {
-		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config, profileName)
+		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config, profileID)
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
@@ -306,10 +311,10 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 	return nil
 }
 
-func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, profileName string) (*auth.TokenInfo, error) {
+func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, profileID profilemanager.ID) (*auth.TokenInfo, error) {
 	hint := ""
 	pm := profilemanager.NewProfileManager()
-	profileState, err := pm.GetProfileState(profileName)
+	profileState, err := pm.GetProfileState(profileID)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {

client/cmd/login_test.go

@@ -27,7 +27,7 @@ func TestLogin(t *testing.T) {
 	profilemanager.ActiveProfileStatePath = tempDir + "/active_profile.json"
 	sm := profilemanager.ServiceManager{}
 	err = sm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		Name:     "default",
+		ID:       "default",
 		Username: currUser.Username,
 	})
 	if err != nil {

client/cmd/profile.go

@@ -2,11 +2,16 @@ package cmd
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os/user"
+	"strings"
+	"text/tabwriter"
 	"time"
 
 	"github.com/spf13/cobra"
+	"google.golang.org/grpc/codes"
+	gstatus "google.golang.org/grpc/status"
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
@@ -14,6 +19,8 @@ import (
 	"github.com/netbirdio/netbird/util"
 )
 
+var profileListShowID bool
+
 var profileCmd = &cobra.Command{
 	Use:   "profile",
 	Short: "Manage NetBird client profiles",
@@ -31,27 +38,40 @@ var profileListCmd = &cobra.Command{
 var profileAddCmd = &cobra.Command{
 	Use:   "add <profile_name>",
 	Short: "Add a new profile",
-	Long:  `Add a new profile to the NetBird client. The profile name must be unique.`,
+	Long:  `Add a new profile. Profile name is free-form, a unique ID is generated for the on-disk config file.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  addProfileFunc,
 }
 
+var profileRenameCmd = &cobra.Command{
+	Use:   "rename <profile> <new_profile_name>",
+	Short: "Renames an existing profile",
+	Long:  `Renames an existing profile (by a name, ID, or unique ID prefix). Profile name is free-form.`,
+	Args:  cobra.ExactArgs(2),
+	RunE:  renameProfileFunc,
+}
+
 var profileRemoveCmd = &cobra.Command{
-	Use:   "remove <profile_name>",
-	Short: "Remove a profile",
-	Long:  `Remove a profile from the NetBird client. The profile must not be inactive.`,
-	Args:  cobra.ExactArgs(1),
-	RunE:  removeProfileFunc,
+	Use:     "remove <profile>",
+	Short:   "Remove a profile",
+	Long:    `Remove a profile by name, ID, or unique ID prefix.`,
+	Aliases: []string{"rm"},
+	Args:    cobra.ExactArgs(1),
+	RunE:    removeProfileFunc,
 }
 
 var profileSelectCmd = &cobra.Command{
-	Use:   "select <profile_name>",
+	Use:   "select <profile>",
 	Short: "Select a profile",
-	Long:  `Make the specified profile active. This will switch the client to use the selected profile's configuration.`,
+	Long:  `Make the specified profile active. Accepts a name, ID, or unique ID prefix.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  selectProfileFunc,
 }
 
+func init() {
+	profileListCmd.Flags().BoolVar(&profileListShowID, "show-id", false, "show the profile ID column")
+}
+
 func setupCmd(cmd *cobra.Command) error {
 	SetFlagsFromEnvVars(rootCmd)
 	SetFlagsFromEnvVars(cmd)
@@ -65,6 +85,7 @@ func setupCmd(cmd *cobra.Command) error {
 
 	return nil
 }
+
 func listProfilesFunc(cmd *cobra.Command, _ []string) error {
 	if err := setupCmd(cmd); err != nil {
 		return err
@@ -83,25 +104,33 @@ func listProfilesFunc(cmd *cobra.Command, _ []string) error {
 
 	daemonClient := proto.NewDaemonServiceClient(conn)
 
-	profiles, err := daemonClient.ListProfiles(cmd.Context(), &proto.ListProfilesRequest{
+	resp, err := daemonClient.ListProfiles(cmd.Context(), &proto.ListProfilesRequest{
 		Username: currUser.Username,
 	})
 	if err != nil {
 		return err
 	}
 
-	// list profiles, add a tick if the profile is active
-	cmd.Println("Found", len(profiles.Profiles), "profiles:")
-	for _, profile := range profiles.Profiles {
-		// use a cross to indicate the passive profiles
-		activeMarker := "✗"
-		if profile.IsActive {
-			activeMarker = "✓"
-		}
-		cmd.Println(activeMarker, profile.Name)
+	tw := tabwriter.NewWriter(cmd.OutOrStdout(), 0, 0, 2, ' ', 0)
+	if profileListShowID {
+		fmt.Fprintln(tw, "ID\tNAME\tACTIVE")
+	} else {
+		fmt.Fprintln(tw, "NAME\tACTIVE")
 	}
-
-	return nil
+	for _, profile := range resp.Profiles {
+		marker := ""
+		if profile.IsActive {
+			marker = "✓"
+		}
+		name := profilemanager.StripCtrlChars(profile.Name)
+		id := profilemanager.ID(profile.Id)
+		if profileListShowID {
+			fmt.Fprintf(tw, "%s\t%s\t%s\n", id.ShortID(), name, marker)
+		} else {
+			fmt.Fprintf(tw, "%s\t%s\n", name, marker)
+		}
+	}
+	return tw.Flush()
 }
 
 func addProfileFunc(cmd *cobra.Command, args []string) error {
@@ -121,21 +150,82 @@ func addProfileFunc(cmd *cobra.Command, args []string) error {
 	}
 
 	daemonClient := proto.NewDaemonServiceClient(conn)
-
 	profileName := args[0]
 
-	_, err = daemonClient.AddProfile(cmd.Context(), &proto.AddProfileRequest{
+	resp, err := daemonClient.AddProfile(cmd.Context(), &proto.AddProfileRequest{
 		ProfileName: profileName,
 		Username:    currUser.Username,
 	})
 	if err != nil {
+		return fmt.Errorf("add profile request: %w", err)
+	}
+
+	dupCount, _ := countProfilesWithName(cmd.Context(), daemonClient, currUser.Username, profileName)
+	if dupCount > 1 {
+		cmd.Printf("Warning: %d other profile(s) already use the name %q.\n", dupCount-1, profileName)
+		cmd.Println("Use `netbird profile list --show-id` to disambiguate later.")
+	}
+
+	id := profilemanager.ID(resp.Id)
+	cmd.Printf("Profile added: %s  %s\n", id.ShortID(), profilemanager.StripCtrlChars(profileName))
+	return nil
+
+}
+
+func renameProfileFunc(cmd *cobra.Command, args []string) error {
+	if err := setupCmd(cmd); err != nil {
 		return err
 	}
 
-	cmd.Println("Profile added successfully:", profileName)
+	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
+	if err != nil {
+		return fmt.Errorf("connect to service CLI interface: %w", err)
+	}
+	defer conn.Close()
+
+	currUser, err := user.Current()
+	if err != nil {
+		return fmt.Errorf("get current user: %w", err)
+	}
+
+	daemonClient := proto.NewDaemonServiceClient(conn)
+	handle := args[0]
+	newProfilename := args[1]
+
+	resp, err := daemonClient.RenameProfile(cmd.Context(), &proto.RenameProfileRequest{
+		Handle:         handle,
+		Username:       currUser.Username,
+		NewProfileName: newProfilename,
+	})
+	if err != nil {
+		return wrapAmbiguityError(err, handle)
+	}
+
+	dupCount, _ := countProfilesWithName(cmd.Context(), daemonClient, currUser.Username, newProfilename)
+	if dupCount > 1 {
+		cmd.Printf("Warning: %d other profile(s) already use the name %q.\n", dupCount-1, newProfilename)
+		cmd.Println("Use `netbird profile list --show-id` to disambiguate later.")
+	}
+
+	cmd.Printf("Profile renamed from %s to %s\n", profilemanager.StripCtrlChars(resp.OldProfileName), profilemanager.StripCtrlChars(newProfilename))
+
 	return nil
 }
 
+func countProfilesWithName(ctx context.Context, c proto.DaemonServiceClient, username, name string) (int, error) {
+	resp, err := c.ListProfiles(ctx, &proto.ListProfilesRequest{Username: username})
+	if err != nil {
+		return 0, err
+	}
+	n := 0
+	for _, p := range resp.Profiles {
+		if p.Name == name {
+			n++
+		}
+	}
+	return n, nil
+}
+
 func removeProfileFunc(cmd *cobra.Command, args []string) error {
 	if err := setupCmd(cmd); err != nil {
 		return err
@@ -153,18 +243,17 @@ func removeProfileFunc(cmd *cobra.Command, args []string) error {
 	}
 
 	daemonClient := proto.NewDaemonServiceClient(conn)
+	handle := args[0]
 
-	profileName := args[0]
-
-	_, err = daemonClient.RemoveProfile(cmd.Context(), &proto.RemoveProfileRequest{
-		ProfileName: profileName,
+	resp, err := daemonClient.RemoveProfile(cmd.Context(), &proto.RemoveProfileRequest{
+		ProfileName: handle,
 		Username:    currUser.Username,
 	})
 	if err != nil {
-		return err
+		return wrapAmbiguityError(err, handle)
 	}
 
-	cmd.Println("Profile removed successfully:", profileName)
+	cmd.Printf("Profile removed: %s\n", resp.Id)
 	return nil
 }
 
@@ -174,7 +263,7 @@ func selectProfileFunc(cmd *cobra.Command, args []string) error {
 	}
 
 	profileManager := profilemanager.NewProfileManager()
-	profileName := args[0]
+	handle := args[0]
 
 	currUser, err := user.Current()
 	if err != nil {
@@ -191,32 +280,15 @@ func selectProfileFunc(cmd *cobra.Command, args []string) error {
 
 	daemonClient := proto.NewDaemonServiceClient(conn)
 
-	profiles, err := daemonClient.ListProfiles(ctx, &proto.ListProfilesRequest{
-		Username: currUser.Username,
+	switchResp, err := daemonClient.SwitchProfile(ctx, &proto.SwitchProfileRequest{
+		ProfileName: &handle,
+		Username:    &currUser.Username,
 	})
 	if err != nil {
-		return fmt.Errorf("list profiles: %w", err)
+		return wrapAmbiguityError(err, handle)
 	}
 
-	var profileExists bool
-
-	for _, profile := range profiles.Profiles {
-		if profile.Name == profileName {
-			profileExists = true
-			break
-		}
-	}
-
-	if !profileExists {
-		return fmt.Errorf("profile %s does not exist", profileName)
-	}
-
-	if err := switchProfile(cmd.Context(), profileName, currUser.Username); err != nil {
-		return err
-	}
-
-	err = profileManager.SwitchProfile(profileName)
-	if err != nil {
+	if err := profileManager.SwitchProfile(profilemanager.ID(switchResp.Id)); err != nil {
 		return err
 	}
 
@@ -231,6 +303,30 @@ func selectProfileFunc(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	cmd.Println("Profile switched successfully to:", profileName)
+	id := profilemanager.ID(switchResp.Id)
+	cmd.Printf("Profile switched to: %s\n", id.ShortID())
 	return nil
 }
+
+// wrapAmbiguityError turns the daemon's gRPC InvalidArgument errors
+// (which carry the resolver's message verbatim) into CLI-friendly text
+// that points the user at --show-id.
+func wrapAmbiguityError(err error, handle string) error {
+	if err == nil {
+		return nil
+	}
+	st, ok := gstatus.FromError(err)
+	if !ok {
+		return err
+	}
+	switch st.Code() {
+	case codes.InvalidArgument:
+		msg := st.Message()
+		if strings.Contains(msg, "ambiguous") {
+			return errors.New(msg + "\nRun `netbird profile list --show-id` to see IDs, then select by ID prefix:\n  netbird profile select|remove <id-prefix>")
+		}
+	case codes.NotFound:
+		return fmt.Errorf("profile %q not found", handle)
+	}
+	return err
+}

client/cmd/root.go

@@ -190,6 +190,7 @@ func init() {
 	// profile commands
 	profileCmd.AddCommand(profileListCmd)
 	profileCmd.AddCommand(profileAddCmd)
+	profileCmd.AddCommand(profileRenameCmd)
 	profileCmd.AddCommand(profileRemoveCmd)
 	profileCmd.AddCommand(profileSelectCmd)
 

client/cmd/up.go

@@ -128,13 +128,12 @@ func upFunc(cmd *cobra.Command, args []string) error {
 	var profileSwitched bool
 	// switch profile if provided
 	if profileName != "" {
-		err = switchProfile(cmd.Context(), profileName, username.Username)
+		resolvedID, err := switchProfile(cmd.Context(), profileName, username.Username)
 		if err != nil {
 			return fmt.Errorf("switch profile: %v", err)
 		}
 
-		err = pm.SwitchProfile(profileName)
-		if err != nil {
+		if err := pm.SwitchProfile(resolvedID); err != nil {
 			return fmt.Errorf("switch profile: %v", err)
 		}
 
@@ -190,7 +189,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *pr
 
 	_, _ = profilemanager.UpdateOldManagementURL(ctx, config, configFilePath)
 
-	err = foregroundLogin(ctx, cmd, config, providedSetupKey, activeProf.Name)
+	err = foregroundLogin(ctx, cmd, config, providedSetupKey, activeProf.ID)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -261,10 +260,10 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager
 	}
 
 	// set the new config
-	req := setupSetConfigReq(customDNSAddressConverted, cmd, activeProf.Name, username.Username)
+	req := setupSetConfigReq(customDNSAddressConverted, cmd, activeProf.ID.String(), username.Username)
 	if _, err := client.SetConfig(ctx, req); err != nil {
 		if st, ok := gstatus.FromError(err); ok && st.Code() == codes.Unavailable {
-			log.Warnf("setConfig method is not available in the daemon")
+			log.Warnf("setConfig method is not available in the daemon: %s", st.Message())
 		} else {
 			return fmt.Errorf("call service setConfig method: %v", err)
 		}
@@ -289,10 +288,11 @@ func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServ
 		return fmt.Errorf("setup login request: %v", err)
 	}
 
-	loginRequest.ProfileName = &activeProf.Name
+	profileID := activeProf.ID.String()
+	loginRequest.ProfileName = &profileID
 	loginRequest.Username = &username
 
-	profileState, err := pm.GetProfileState(activeProf.Name)
+	profileState, err := pm.GetProfileState(activeProf.ID)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
@@ -329,7 +329,7 @@ func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServ
 	}
 
 	if _, err := client.Up(ctx, &proto.UpRequest{
-		ProfileName: &activeProf.Name,
+		ProfileName: &profileID,
 		Username:    &username,
 	}); err != nil {
 		return fmt.Errorf("call service up method: %v", err)

client/cmd/up_daemon_test.go

@@ -29,14 +29,14 @@ func TestUpDaemon(t *testing.T) {
 	}
 
 	sm := profilemanager.ServiceManager{}
-	err = sm.AddProfile("test1", currUser.Username)
+	created, err := sm.AddProfile("test1", currUser.Username)
 	if err != nil {
 		t.Fatalf("failed to add profile: %v", err)
 		return
 	}
 
 	err = sm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		Name:     "test1",
+		ID:       created.ID,
 		Username: currUser.Username,
 	})
 	if err != nil {

client/internal/debug/debug_test.go

@@ -843,6 +843,7 @@ func TestAddConfig_AllFieldsCovered(t *testing.T) {
 		"PreSharedKey":      "sensitive: WireGuard pre-shared key",
 		"SSHKey":            "sensitive: SSH private key",
 		"ClientCertKeyPair": "non-config: parsed cert pair, not serialized",
+		"Name":              "non-config: profile name is not needed for debug purposes",
 		"policy":            "non-config: in-memory MDM policy snapshot, surfaced via Config.Policy() / GetConfigResponse.MDMManagedFields",
 	}
 

client/internal/engine.go

@@ -63,9 +63,7 @@ import (
 	"github.com/netbirdio/netbird/route"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
 	"github.com/netbirdio/netbird/shared/management/domain"
-	nbnetworkmap "github.com/netbirdio/netbird/shared/management/networkmap"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
-	types "github.com/netbirdio/netbird/shared/management/types"
 	"github.com/netbirdio/netbird/shared/netiputil"
 	auth "github.com/netbirdio/netbird/shared/relay/auth/hmac"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
@@ -208,13 +206,6 @@ type Engine struct {
 	// networkSerial is the latest CurrentSerial (state ID) of the network sent by the Management service
 	networkSerial uint64
 
-	// latestComponents is the most-recent NetworkMapComponents decoded from
-	// a NetworkMapEnvelope (capability=3 peers only). Held alongside the
-	// NetworkMap that Calculate() produced from it so future incremental
-	// updates have a base to apply changes against. nil for legacy-format
-	// peers. Guarded by syncMsgMux.
-	latestComponents *types.NetworkMapComponents
-
 	networkMonitor *networkmonitor.NetworkMonitor
 
 	sshServer sshServer
@@ -888,54 +879,20 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 		return e.ctx.Err()
 	}
 
-	// Envelope sync responses carry PeerConfig at the top level; legacy
-	// NetworkMap syncs carry it under NetworkMap.PeerConfig.
-	if pc := update.GetPeerConfig(); pc != nil {
-		e.handleAutoUpdateVersion(pc.GetAutoUpdate())
-	} else if nm := update.GetNetworkMap(); nm != nil && nm.GetPeerConfig() != nil {
-		e.handleAutoUpdateVersion(nm.GetPeerConfig().GetAutoUpdate())
+	if update.NetworkMap != nil && update.NetworkMap.PeerConfig != nil {
+		e.handleAutoUpdateVersion(update.NetworkMap.PeerConfig.AutoUpdate)
 	}
 
 	if err := e.updateNetbirdConfig(update.GetNetbirdConfig()); err != nil {
 		return err
 	}
 
-	// Decode the network map from either the components envelope or the
-	// legacy proto.NetworkMap before the posture-check gating below, so the
-	// "is there a network map" decision covers both wire shapes.
-	var (
-		nm         *mgmProto.NetworkMap
-		components *types.NetworkMapComponents
-	)
-	if envelope := update.GetNetworkMapEnvelope(); envelope != nil {
-		// Components-format peer: decode the envelope back to typed
-		// components, run Calculate() locally, and convert to the wire
-		// NetworkMap shape the rest of the engine consumes. Components are
-		// retained so future incremental updates can apply deltas instead
-		// of doing a full reconstruction.
-		localKey := e.config.WgPrivateKey.PublicKey().String()
-		dnsName := ""
-		if pc := update.GetPeerConfig(); pc != nil {
-			// PeerConfig.Fqdn = "<dns_label>.<dns_domain>" — extract the
-			// shared domain by stripping the peer's own label prefix. Falls
-			// back to empty if the FQDN doesn't have the expected shape.
-			dnsName = extractDNSDomainFromFQDN(pc.GetFqdn())
-		}
-		result, err := nbnetworkmap.EnvelopeToNetworkMap(e.ctx, envelope, localKey, dnsName)
-		if err != nil {
-			return fmt.Errorf("decode network map envelope: %w", err)
-		}
-		nm = result.NetworkMap
-		components = result.Components
-	} else {
-		nm = update.GetNetworkMap()
-	}
-
 	// Posture checks are bound to the network map presence:
 	//   NetworkMap != nil, checks present -> apply the received checks
 	//   NetworkMap != nil, checks nil     -> posture checks were removed, clear them
 	//   NetworkMap == nil                 -> config-only update (e.g. relay token rotation),
 	//                                        leave the previously applied checks untouched
+	nm := update.GetNetworkMap()
 	if nm == nil {
 		return nil
 	}
@@ -944,14 +901,6 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 		return err
 	}
 
-	// Only retain the components view when the server sent the envelope
-	// path. A legacy proto.NetworkMap means components == nil; writing it
-	// here would clobber a previously-cached snapshot, breaking the
-	// incremental-delta base on a future envelope sync.
-	if components != nil {
-		e.latestComponents = components
-	}
-
 	e.persistSyncResponse(update)
 
 	// only apply new changes and ignore old ones
@@ -964,19 +913,6 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	return nil
 }
 
-// extractDNSDomainFromFQDN returns the trailing dotted domain part of the
-// receiving peer's FQDN — the same value the management server fills as
-// dnsName when it builds the legacy NetworkMap. "peer42.netbird.cloud" →
-// "netbird.cloud". An empty string is returned for unrecognized formats.
-func extractDNSDomainFromFQDN(fqdn string) string {
-	for i := 0; i < len(fqdn); i++ {
-		if fqdn[i] == '.' && i+1 < len(fqdn) {
-			return fqdn[i+1:]
-		}
-	}
-	return ""
-}
-
 // updateNetbirdConfig applies the management-provided NetBird configuration:
 // STUN/TURN and relay servers, flow logging and DNS settings. A nil config is a no-op,
 // which is the case for sync updates carrying only a network map.
@@ -1778,6 +1714,13 @@ func (e *Engine) receiveSignalEvents() {
 				return e.ctx.Err()
 			}
 
+			// Self-addressed heartbeat: the signal client's receive watchdog
+			// round-trips this through the server to confirm the receive stream
+			// is delivering. Liveness is already recorded before this handler.
+			if msg.GetBody().GetType() == sProto.Body_HEARTBEAT {
+				return nil
+			}
+
 			conn, ok := e.peerStore.PeerConn(msg.Key)
 			if !ok {
 				return fmt.Errorf("wrongly addressed message %s", msg.Key)

client/internal/profilemanager/config.go

@@ -108,6 +108,10 @@ type ConfigInput struct {
 
 // Config Configuration type
 type Config struct {
+	// Name is the human-readable profile name shown in CLI/UI listings.
+	// It is independent of the profile's on-disk filename (which is the ID).
+	Name string
+
 	// Wireguard private key of local peer
 	PrivateKey                    string
 	PreSharedKey                  string
@@ -270,6 +274,16 @@ func createNewConfig(input ConfigInput) (*Config, error) {
 }
 
 func (config *Config) apply(input ConfigInput) (updated bool, err error) {
+	if config.Name != "" {
+		sanitized, err := sanitizeDisplayName(config.Name)
+		if err != nil {
+			return false, fmt.Errorf("invalid profile name: %w", err)
+		}
+		if sanitized != config.Name {
+			config.Name = sanitized
+			updated = true
+		}
+	}
 	if config.ManagementURL == nil {
 		log.Infof("using default Management URL %s", DefaultManagementURL)
 		config.ManagementURL, err = parseURL("Management URL", DefaultManagementURL)

client/internal/profilemanager/id.go

@@ -0,0 +1,118 @@
+package profilemanager
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"path/filepath"
+	"strings"
+	"unicode"
+	"unicode/utf8"
+)
+
+const (
+	// profileIDByteLen is the number of random bytes generated for a new
+	// profile ID. The resulting hex string is twice this length.
+	profileIDByteLen = 16
+
+	// shortIDLen is the number of leading characters of an ID we render in
+	// list output. Profiles per device are few, so 8 chars is collision-safe
+	// in practice and easy to type as a prefix.
+	shortIDLen = 8
+
+	// maxProfileNameLen caps the human-readable profile name to keep table
+	// output legible and prevent denial-of-service via huge JSON fields.
+	maxProfileNameLen = 128
+
+	// maxProfileIDLen bounds the on-disk filename we'll accept. New
+	// IDs are 32 hex chars, legacy stems are sanitized profile names. The
+	// cap is generous enough to cover both without permitting absurdly
+	// long filenames.
+	maxProfileIDLen = 64
+)
+
+type ID string
+
+// generateProfileID returns a new random hex ID for a profile file.
+func generateProfileID() (ID, error) {
+	buf := make([]byte, profileIDByteLen)
+	if _, err := rand.Read(buf); err != nil {
+		return "", fmt.Errorf("read random bytes: %w", err)
+	}
+	return ID(hex.EncodeToString(buf)), nil
+}
+
+// IsValidProfileFilenameStem reports whether id is safe to use as the stem
+// of a profile JSON filename.
+func IsValidProfileFilenameStem(id ID) bool {
+	s := id.String()
+	if s == "" || len(s) > maxProfileIDLen {
+		return false
+	}
+	if s == defaultProfileName {
+		return true
+	}
+	if strings.ContainsAny(s, `/\`) || strings.Contains(s, "..") {
+		return false
+	}
+	// filepath.Base catches any leftover separators on platforms with
+	// exotic path conventions.
+	if filepath.Base(s) != s {
+		return false
+	}
+	for _, r := range s {
+		if !(unicode.IsLetter(r) || unicode.IsDigit(r) || r == '_' || r == '-') {
+			return false
+		}
+	}
+	return true
+}
+
+// sanitizeDisplayName normalizes a user-supplied profile display name for
+// storage. It strips ASCII control characters, rejects invalid UTF-8, and
+// caps the length. Emojis, spaces, punctuation, and non-ASCII letters are
+// preserved. Returns an error if nothing usable remains.
+func sanitizeDisplayName(name string) (string, error) {
+	if !utf8.ValidString(name) {
+		return "", fmt.Errorf("name is not valid UTF-8")
+	}
+	name = StripCtrlChars(name)
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return "", fmt.Errorf("name is empty after sanitization")
+	}
+	if utf8.RuneCountInString(name) > maxProfileNameLen {
+		return "", fmt.Errorf("name exceeds %d characters", maxProfileNameLen)
+	}
+	return name, nil
+}
+
+// StripCtrlChars control characters from a name before printing it.
+func StripCtrlChars(name string) string {
+	var b strings.Builder
+	b.Grow(len(name))
+	for _, r := range name {
+		// Skip C0 controls and DEL, plus C1 controls (0x80–0x9F).
+		if r < 0x20 || r == 0x7F || (r >= 0x80 && r <= 0x9F) {
+			continue
+		}
+		b.WriteRune(r)
+	}
+	return b.String()
+}
+
+// ShortID truncates an ID for display.
+func (id ID) ShortID() string {
+	if id == DefaultProfileName {
+		return DefaultProfileName
+	}
+	runes := []rune(id)
+	if len(runes) <= shortIDLen {
+		return id.String()
+	}
+	return string(runes[:shortIDLen])
+}
+
+func (id ID) String() string {
+	return string(id)
+}

client/internal/profilemanager/profilemanager.go

@@ -19,19 +19,41 @@ const (
 )
 
 type Profile struct {
-	Name     string
+	// ID is the on-disk filename stem (without .json). For new profiles
+	// it is a 32-char hex string; legacy profiles created before the
+	// ID-keyed layout keep their original name as their ID. The reserved
+	// value "default" identifies the special default profile.
+	ID ID
+	// Name is the human-readable display name. Falls back to ID when the
+	// underlying JSON has no "name" field set.
+	Name string
+	// Path is the absolute path to the profile JSON. Populated by the
+	// loader so callers do not have to reconstruct it from ID + dir.
+	Path     string
 	IsActive bool
 }
 
 func (p *Profile) FilePath() (string, error) {
-	if p.Name == "" {
-		return "", fmt.Errorf("active profile name is empty")
+	if p.Path != "" {
+		return p.Path, nil
 	}
 
-	if p.Name == defaultProfileName {
+	id := p.ID
+	if id == "" {
+		id = ID(p.Name)
+	}
+	if id == "" {
+		return "", fmt.Errorf("profile ID is empty")
+	}
+
+	if id == defaultProfileName {
 		return DefaultConfigPath, nil
 	}
 
+	if !IsValidProfileFilenameStem(id) {
+		return "", fmt.Errorf("invalid profile ID: %q", id)
+	}
+
 	username, err := user.Current()
 	if err != nil {
 		return "", fmt.Errorf("failed to get current user: %w", err)
@@ -42,10 +64,13 @@ func (p *Profile) FilePath() (string, error) {
 		return "", fmt.Errorf("failed to get config directory for user %s: %w", username.Username, err)
 	}
 
-	return filepath.Join(configDir, p.Name+".json"), nil
+	return filepath.Join(configDir, id.String()+".json"), nil
 }
 
 func (p *Profile) IsDefault() bool {
+	if p.ID != "" {
+		return p.ID == defaultProfileName
+	}
 	return p.Name == defaultProfileName
 }
 
@@ -57,18 +82,24 @@ func NewProfileManager() *ProfileManager {
 	return &ProfileManager{}
 }
 
+// GetActiveProfile returns the active profile as recorded in the local
+// user state file. Only ID is populated.
 func (pm *ProfileManager) GetActiveProfile() (*Profile, error) {
 	pm.mu.Lock()
 	defer pm.mu.Unlock()
 
-	prof := pm.getActiveProfileState()
-	return &Profile{Name: prof}, nil
+	id := pm.getActiveProfileState()
+	return &Profile{ID: id}, nil
 }
 
-func (pm *ProfileManager) SwitchProfile(profileName string) error {
-	profileName = sanitizeProfileName(profileName)
+// SwitchProfile records the given profile ID as active in the local user
+// state file.
+func (pm *ProfileManager) SwitchProfile(id ID) error {
+	if id != defaultProfileName && !IsValidProfileFilenameStem(id) {
+		return fmt.Errorf("invalid profile ID: %q", id)
+	}
 
-	if err := pm.setActiveProfileState(profileName); err != nil {
+	if err := pm.setActiveProfileState(id); err != nil {
 		return fmt.Errorf("failed to switch profile: %w", err)
 	}
 	return nil
@@ -85,7 +116,7 @@ func sanitizeProfileName(name string) string {
 	}, name)
 }
 
-func (pm *ProfileManager) getActiveProfileState() string {
+func (pm *ProfileManager) getActiveProfileState() ID {
 
 	configDir, err := getConfigDir()
 	if err != nil {
@@ -113,10 +144,10 @@ func (pm *ProfileManager) getActiveProfileState() string {
 		return defaultProfileName
 	}
 
-	return profileName
+	return ID(profileName)
 }
 
-func (pm *ProfileManager) setActiveProfileState(profileName string) error {
+func (pm *ProfileManager) setActiveProfileState(id ID) error {
 
 	configDir, err := getConfigDir()
 	if err != nil {
@@ -125,7 +156,7 @@ func (pm *ProfileManager) setActiveProfileState(profileName string) error {
 
 	statePath := filepath.Join(configDir, activeProfileStateFilename)
 
-	err = os.WriteFile(statePath, []byte(profileName), 0600)
+	err = os.WriteFile(statePath, []byte(id), 0600)
 	if err != nil {
 		return fmt.Errorf("failed to write active profile state: %w", err)
 	}
@@ -142,7 +173,7 @@ func GetLoginHint() string {
 		return ""
 	}
 
-	profileState, err := pm.GetProfileState(activeProf.Name)
+	profileState, err := pm.GetProfileState(activeProf.ID)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 		return ""

client/internal/profilemanager/profilemanager_test.go

@@ -50,14 +50,14 @@ func TestServiceManager_CreateAndGetDefaultProfile(t *testing.T) {
 
 			state, err := sm.GetActiveProfileState()
 			assert.NoError(t, err)
-			assert.Equal(t, state.Name, defaultProfileName) // No active profile state yet
+			assert.Equal(t, defaultProfileName, state.ID.String()) // No active profile state yet
 
 			err = sm.SetActiveProfileStateToDefault()
 			assert.NoError(t, err)
 
 			active, err := sm.GetActiveProfileState()
 			assert.NoError(t, err)
-			assert.Equal(t, "default", active.Name)
+			assert.Equal(t, "default", active.ID.String())
 		})
 	})
 }
@@ -92,14 +92,14 @@ func TestServiceManager_SetActiveProfileState(t *testing.T) {
 			currUser, err := user.Current()
 			assert.NoError(t, err)
 			sm := &ServiceManager{}
-			state := &ActiveProfileState{Name: "foo", Username: currUser.Username}
+			state := &ActiveProfileState{ID: "foo", Username: currUser.Username}
 			err = sm.SetActiveProfileState(state)
 			assert.NoError(t, err)
 
 			// Should error on nil or incomplete state
 			err = sm.SetActiveProfileState(nil)
 			assert.Error(t, err)
-			err = sm.SetActiveProfileState(&ActiveProfileState{Name: "", Username: ""})
+			err = sm.SetActiveProfileState(&ActiveProfileState{ID: "", Username: ""})
 			assert.Error(t, err)
 		})
 	})

client/internal/profilemanager/service.go

@@ -2,6 +2,7 @@ package profilemanager
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -23,12 +24,43 @@ var (
 	DefaultConfigPathDir   = ""
 	DefaultConfigPath      = ""
 	ActiveProfileStatePath = ""
-)
 
-var (
 	ErrorOldDefaultConfigNotFound = errors.New("old default config not found")
 )
 
+// ErrAmbiguousHandle is returned when a profile handle (ID prefix or name)
+// matches more than one profile. Callers can render Candidates to help the
+// user disambiguate.
+type ErrAmbiguousHandle struct {
+	Handle     string
+	Candidates []Profile
+	Kind       AmbiguityKind
+}
+
+// AmbiguityKind describes which matcher produced the ambiguity, so callers
+// can tailor the error message.
+type AmbiguityKind int
+
+const (
+	AmbiguityKindIDPrefix AmbiguityKind = iota
+	AmbiguityKindName
+)
+
+// profileMeta is the minimal slice of a profile JSON we need, so we avoid
+// reading all fields
+type profileMeta struct {
+	Name string
+}
+
+func (e *ErrAmbiguousHandle) Error() string {
+	switch e.Kind {
+	case AmbiguityKindIDPrefix:
+		return fmt.Sprintf("ID prefix %q is ambiguous (matches %d profiles)", e.Handle, len(e.Candidates))
+	default:
+		return fmt.Sprintf("name %q is ambiguous (%d profiles share this name)", e.Handle, len(e.Candidates))
+	}
+}
+
 func init() {
 
 	DefaultConfigPathDir = "/var/lib/netbird/"
@@ -54,25 +86,34 @@ func init() {
 }
 
 type ActiveProfileState struct {
-	Name     string `json:"name"`
+	// ID is the on-disk filename stem of the active profile. The JSON tag stays
+	// as "name" for backwards compatibility with active state files written
+	// before the ID-based config files. Legacy values were profile names, which
+	// were also the legacy filename stems, so they still resolve to the correct
+	// file on disk.
+	ID       ID     `json:"name"`
 	Username string `json:"username"`
 }
 
 func (a *ActiveProfileState) FilePath() (string, error) {
-	if a.Name == "" {
-		return "", fmt.Errorf("active profile name is empty")
+	if a.ID == "" {
+		return "", fmt.Errorf("active profile ID is empty")
 	}
 
-	if a.Name == defaultProfileName {
+	if a.ID == defaultProfileName {
 		return DefaultConfigPath, nil
 	}
 
+	if !IsValidProfileFilenameStem(a.ID) {
+		return "", fmt.Errorf("invalid profile ID: %q", a.ID)
+	}
+
 	configDir, err := getConfigDirForUser(a.Username)
 	if err != nil {
 		return "", fmt.Errorf("failed to get config directory for user %s: %w", a.Username, err)
 	}
 
-	return filepath.Join(configDir, a.Name+".json"), nil
+	return filepath.Join(configDir, a.ID.String()+".json"), nil
 }
 
 type ServiceManager struct {
@@ -178,7 +219,7 @@ func (s *ServiceManager) GetActiveProfileState() (*ActiveProfileState, error) {
 				return nil, fmt.Errorf("failed to set active profile to default: %w", err)
 			}
 			return &ActiveProfileState{
-				Name:     "default",
+				ID:       defaultProfileName,
 				Username: "",
 			}, nil
 		} else {
@@ -186,12 +227,12 @@ func (s *ServiceManager) GetActiveProfileState() (*ActiveProfileState, error) {
 		}
 	}
 
-	if activeProfile.Name == "" {
+	if activeProfile.ID == "" {
 		if err := s.SetActiveProfileStateToDefault(); err != nil {
 			return nil, fmt.Errorf("failed to set active profile to default: %w", err)
 		}
 		return &ActiveProfileState{
-			Name:     "default",
+			ID:       defaultProfileName,
 			Username: "",
 		}, nil
 	}
@@ -216,25 +257,29 @@ func (s *ServiceManager) setDefaultActiveState() error {
 }
 
 func (s *ServiceManager) SetActiveProfileState(a *ActiveProfileState) error {
-	if a == nil || a.Name == "" {
+	if a == nil || a.ID == "" {
 		return errors.New("invalid active profile state")
 	}
 
-	if a.Name != defaultProfileName && a.Username == "" {
-		return fmt.Errorf("username must be set for non-default profiles, got: %s", a.Name)
+	if a.ID != defaultProfileName && a.Username == "" {
+		return fmt.Errorf("username must be set for non-default profiles, got: %s", a.ID)
+	}
+
+	if a.ID != defaultProfileName && !IsValidProfileFilenameStem(a.ID) {
+		return fmt.Errorf("invalid profile ID: %q", a.ID)
 	}
 
 	if err := util.WriteJsonWithRestrictedPermission(context.Background(), ActiveProfileStatePath, a); err != nil {
 		return fmt.Errorf("failed to write active profile state: %w", err)
 	}
 
-	log.Infof("active profile set to %s for %s", a.Name, a.Username)
+	log.Infof("active profile set to %s for %s", a.ID, a.Username)
 	return nil
 }
 
 func (s *ServiceManager) SetActiveProfileStateToDefault() error {
 	return s.SetActiveProfileState(&ActiveProfileState{
-		Name:     "default",
+		ID:       defaultProfileName,
 		Username: "",
 	})
 }
@@ -243,57 +288,117 @@ func (s *ServiceManager) DefaultProfilePath() string {
 	return DefaultConfigPath
 }
 
-func (s *ServiceManager) AddProfile(profileName, username string) error {
+// AddProfile creates a new profile with a generated ID. The user-supplied
+// displayName is stored inside the JSON's name field, the on-disk filename
+// uses the generated ID.
+//
+// The returned Profile carries the freshly-generated ID so callers can
+// show it to the user (and so the gRPC AddProfileResponse can include
+// it).
+func (s *ServiceManager) AddProfile(displayName, username string) (*Profile, error) {
 	configDir, err := s.getConfigDir(username)
 	if err != nil {
-		return fmt.Errorf("failed to get config directory: %w", err)
+		return nil, fmt.Errorf("failed to get config directory: %w", err)
 	}
 
-	profileName = sanitizeProfileName(profileName)
-
-	if profileName == defaultProfileName {
-		return fmt.Errorf("cannot create profile with reserved name: %s", defaultProfileName)
-	}
-
-	profPath := filepath.Join(configDir, profileName+".json")
-	profileExists, err := fileExists(profPath)
+	displayName, err = sanitizeDisplayName(displayName)
 	if err != nil {
-		return fmt.Errorf("failed to check if profile exists: %w", err)
-	}
-	if profileExists {
-		return ErrProfileAlreadyExists
+		return nil, fmt.Errorf("invalid profile name: %w", err)
 	}
 
+	id, err := generateProfileID()
+	if err != nil {
+		return nil, fmt.Errorf("generate profile id: %w", err)
+	}
+
+	profPath := filepath.Join(configDir, id.String()+".json")
 	cfg, err := createNewConfig(ConfigInput{ConfigPath: profPath})
 	if err != nil {
-		return fmt.Errorf("failed to create new config: %w", err)
+		return nil, fmt.Errorf("failed to create new config: %w", err)
+	}
+	cfg.Name = displayName
+
+	if err := util.WriteJson(context.Background(), profPath, cfg); err != nil {
+		return nil, fmt.Errorf("failed to write profile config: %w", err)
 	}
 
-	err = util.WriteJson(context.Background(), profPath, cfg)
+	return &Profile{
+		ID:   id,
+		Name: displayName,
+		Path: profPath,
+	}, nil
+}
+
+func (s *ServiceManager) RenameProfile(id ID, username string, newName string) error {
+	displayName, err := sanitizeDisplayName(newName)
 	if err != nil {
-		return fmt.Errorf("failed to write profile config: %w", err)
+		return fmt.Errorf("invalid profile name: %w", err)
 	}
 
+	if !IsValidProfileFilenameStem(id) {
+		return fmt.Errorf("invalid profile ID: %q", id)
+	}
+
+	profiles, err := s.loadAllProfiles(username)
+	if err != nil {
+		return fmt.Errorf("load profiles: %w", err)
+	}
+
+	var target *Profile
+	for i := range profiles {
+		if profiles[i].ID == id {
+			target = &profiles[i]
+			break
+		}
+	}
+	if target == nil {
+		return ErrProfileNotFound
+	}
+
+	data, err := os.ReadFile(target.Path)
+	if err != nil {
+		return err
+	}
+	var cfg Config
+	if err := json.Unmarshal(data, &cfg); err != nil {
+		return err
+	}
+	cfg.Name = displayName
+
+	if err := util.WriteJson(context.Background(), target.Path, cfg); err != nil {
+		return fmt.Errorf("failed to write profile name: %w", err)
+	}
 	return nil
 }
 
-func (s *ServiceManager) RemoveProfile(profileName, username string) error {
-	configDir, err := s.getConfigDir(username)
-	if err != nil {
-		return fmt.Errorf("failed to get config directory: %w", err)
+// RemoveProfile deletes the profile identified by id. Callers must have
+// already resolved any user-supplied handle to a concrete ID via
+// ResolveProfile.
+func (s *ServiceManager) RemoveProfile(id ID, username string) error {
+	if id == defaultProfileName {
+		defaultName := readProfileName(DefaultConfigPath)
+		if defaultName == "" {
+			defaultName = defaultProfileName
+		}
+		return fmt.Errorf("cannot remove default profile with name: %s", defaultName)
+	}
+	if !IsValidProfileFilenameStem(id) {
+		return fmt.Errorf("invalid profile ID: %q", id)
 	}
 
-	profileName = sanitizeProfileName(profileName)
-
-	if profileName == defaultProfileName {
-		return fmt.Errorf("cannot remove profile with reserved name: %s", defaultProfileName)
-	}
-	profPath := filepath.Join(configDir, profileName+".json")
-	profileExists, err := fileExists(profPath)
+	profiles, err := s.loadAllProfiles(username)
 	if err != nil {
-		return fmt.Errorf("failed to check if profile exists: %w", err)
+		return fmt.Errorf("load profiles: %w", err)
 	}
-	if !profileExists {
+
+	var target *Profile
+	for i := range profiles {
+		if profiles[i].ID == id {
+			target = &profiles[i]
+			break
+		}
+	}
+	if target == nil {
 		return ErrProfileNotFound
 	}
 
@@ -301,57 +406,26 @@ func (s *ServiceManager) RemoveProfile(profileName, username string) error {
 	if err != nil && !errors.Is(err, ErrNoActiveProfile) {
 		return fmt.Errorf("failed to get active profile: %w", err)
 	}
-
-	if activeProf != nil && activeProf.Name == profileName {
-		return fmt.Errorf("cannot remove active profile: %s", profileName)
+	if activeProf != nil && activeProf.ID == id {
+		return fmt.Errorf("cannot remove active profile: %s", id)
 	}
 
-	err = util.RemoveJson(profPath)
-	if err != nil {
+	if err := util.RemoveJson(target.Path); err != nil {
 		return fmt.Errorf("failed to remove profile config: %w", err)
 	}
+
+	stateFile := filepath.Join(filepath.Dir(target.Path), id.String()+".state.json")
+	if err := os.Remove(stateFile); err != nil && !os.IsNotExist(err) {
+		log.Warnf("failed to remove profile state file %s: %v", stateFile, err)
+	}
+
 	return nil
 }
 
+// ListProfiles returns every profile for the given user, including the
+// default profile, with IsActive flags set.
 func (s *ServiceManager) ListProfiles(username string) ([]Profile, error) {
-	configDir, err := s.getConfigDir(username)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get config directory: %w", err)
-	}
-
-	files, err := util.ListFiles(configDir, "*.json")
-	if err != nil {
-		return nil, fmt.Errorf("failed to list profile files: %w", err)
-	}
-
-	var filtered []string
-	for _, file := range files {
-		if strings.HasSuffix(file, "state.json") {
-			continue // skip state files
-		}
-		filtered = append(filtered, file)
-	}
-	sort.Strings(filtered)
-
-	var activeProfName string
-	activeProf, err := s.GetActiveProfileState()
-	if err == nil {
-		activeProfName = activeProf.Name
-	}
-
-	var profiles []Profile
-	// add default profile always
-	profiles = append(profiles, Profile{Name: defaultProfileName, IsActive: activeProfName == "" || activeProfName == defaultProfileName})
-	for _, file := range filtered {
-		profileName := strings.TrimSuffix(filepath.Base(file), ".json")
-		var isActive bool
-		if activeProfName != "" && activeProfName == profileName {
-			isActive = true
-		}
-		profiles = append(profiles, Profile{Name: profileName, IsActive: isActive})
-	}
-
-	return profiles, nil
+	return s.loadAllProfiles(username)
 }
 
 // GetStatePath returns the path to the state file based on the operating system
@@ -369,7 +443,12 @@ func (s *ServiceManager) GetStatePath() string {
 		return defaultStatePath
 	}
 
-	if activeProf.Name == defaultProfileName {
+	if activeProf.ID == defaultProfileName {
+		return defaultStatePath
+	}
+
+	if !IsValidProfileFilenameStem(activeProf.ID) {
+		log.Warnf("invalid active profile ID %q, using default state path", activeProf.ID)
 		return defaultStatePath
 	}
 
@@ -379,7 +458,7 @@ func (s *ServiceManager) GetStatePath() string {
 		return defaultStatePath
 	}
 
-	return filepath.Join(configDir, activeProf.Name+".state.json")
+	return filepath.Join(configDir, activeProf.ID.String()+".state.json")
 }
 
 // getConfigDir returns the profiles directory, using profilesDir if set, otherwise getConfigDirForUser
@@ -390,3 +469,169 @@ func (s *ServiceManager) getConfigDir(username string) (string, error) {
 
 	return getConfigDirForUser(username)
 }
+
+// loadAllProfiles returns every profile visible to the daemon for the
+// given user, including the default profile. The returned slice is sorted
+// by ID for a stable display order.
+//
+// Each Profile is fully populated: ID is the filename stem, Name comes
+// from the JSON's "name" field (falling back to the filename stem when absent)
+// and Path is built from a basename read off disk.
+func (s *ServiceManager) loadAllProfiles(username string) ([]Profile, error) {
+	activeID, activeIsDefault := s.activeProfileID()
+	defaultName := readProfileName(DefaultConfigPath)
+	if defaultName == "" {
+		defaultName = defaultProfileName
+	}
+
+	profiles := []Profile{{
+		ID:       defaultProfileName,
+		Name:     defaultName,
+		Path:     DefaultConfigPath,
+		IsActive: activeIsDefault,
+	}}
+
+	configDir, err := s.getConfigDir(username)
+	if err != nil {
+		return nil, fmt.Errorf("get config directory: %w", err)
+	}
+
+	entries, err := os.ReadDir(configDir)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return profiles, nil
+		}
+		return nil, fmt.Errorf("read profile directory: %w", err)
+	}
+
+	var fileProfiles []Profile
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+		base := entry.Name()
+		if !strings.HasSuffix(base, ".json") {
+			continue
+		}
+		if strings.HasSuffix(base, ".state.json") {
+			continue
+		}
+		stem := ID(strings.TrimSuffix(base, ".json"))
+		if stem == defaultProfileName {
+			// default lives at the top-level config dir, not under /<user>
+			continue
+		}
+		if !IsValidProfileFilenameStem(ID(stem)) {
+			continue
+		}
+		path := filepath.Join(configDir, base)
+		name := readProfileName(path)
+		if name == "" {
+			name = stem.String()
+		}
+		fileProfiles = append(fileProfiles, Profile{
+			ID:       stem,
+			Name:     name,
+			Path:     path,
+			IsActive: stem == ID(activeID),
+		})
+	}
+
+	sort.Slice(fileProfiles, func(i, j int) bool {
+		if fileProfiles[i].Name != fileProfiles[j].Name {
+			return fileProfiles[i].Name < fileProfiles[j].Name
+		}
+		// Sort tie-break on ID so duplicate names always render in the same order.
+		return fileProfiles[i].ID < fileProfiles[j].ID
+	})
+	profiles = append(profiles, fileProfiles...)
+	return profiles, nil
+}
+
+// readProfileName parses just the "name" field from the profile Json.
+func readProfileName(path string) string {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return ""
+	}
+	var meta profileMeta
+	if err := json.Unmarshal(data, &meta); err != nil {
+		return ""
+	}
+	return meta.Name
+}
+
+// activeProfileID returns the currently-active profile's ID. The second
+// return value is true when the active profile is the default one.
+func (s *ServiceManager) activeProfileID() (ID, bool) {
+	state, err := s.GetActiveProfileState()
+	if err != nil || state == nil {
+		return defaultProfileName, true
+	}
+	if state.ID == "" || state.ID == defaultProfileName {
+		return defaultProfileName, true
+	}
+	return state.ID, false
+}
+
+// ResolveProfile turns a user-supplied handle into a Profile. Resolution
+// precedence is: exact ID match, then unique exact name, then unique ID
+// prefix. Ambiguous matches return *ErrAmbiguousHandle so callers can
+// surface the candidates.
+func (s *ServiceManager) ResolveProfile(handle, username string) (*Profile, error) {
+	if handle == "" {
+		return nil, fmt.Errorf("profile handle is empty")
+	}
+
+	profiles, err := s.loadAllProfiles(username)
+	if err != nil {
+		return nil, err
+	}
+
+	for i := range profiles {
+		if profiles[i].ID == ID(handle) {
+			return &profiles[i], nil
+		}
+	}
+
+	var nameMatches []Profile
+	for i := range profiles {
+		if profiles[i].Name == handle {
+			nameMatches = append(nameMatches, profiles[i])
+		}
+	}
+	if len(nameMatches) == 1 {
+		return &nameMatches[0], nil
+	}
+	if len(nameMatches) > 1 {
+		return nil, &ErrAmbiguousHandle{
+			Handle:     handle,
+			Candidates: nameMatches,
+			Kind:       AmbiguityKindName,
+		}
+	}
+
+	// ID prefix match. Skip the default profile so `select d` does not
+	// accidentally pick it via prefix.
+	var prefixMatches []Profile
+	for i := range profiles {
+		if profiles[i].ID == defaultProfileName {
+			continue
+		}
+		if strings.HasPrefix(profiles[i].ID.String(), handle) {
+			prefixMatches = append(prefixMatches, profiles[i])
+		}
+	}
+	if len(prefixMatches) == 1 {
+		return &prefixMatches[0], nil
+	}
+	if len(prefixMatches) > 1 {
+		return nil, &ErrAmbiguousHandle{
+			Handle:     handle,
+			Candidates: prefixMatches,
+			Kind:       AmbiguityKindIDPrefix,
+		}
+	}
+
+	return nil, ErrProfileNotFound
+}

client/internal/profilemanager/service_test.go

@@ -0,0 +1,230 @@
+package profilemanager
+
+import (
+	"context"
+	"errors"
+	"os"
+	"os/user"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/util"
+)
+
+// withTestSM wires up patched globals + a clean config dir and returns a
+// fully initialized ServiceManager plus the username we are scoped to.
+func withTestSM(t *testing.T, fn func(sm *ServiceManager, username string)) {
+	t.Helper()
+	withTempConfigDir(t, func(configDir string) {
+		withPatchedGlobals(t, configDir, func() {
+			u, err := user.Current()
+			require.NoError(t, err)
+			sm := &ServiceManager{}
+			require.NoError(t, sm.CreateDefaultProfile())
+			fn(sm, u.Username)
+		})
+	})
+}
+
+func TestServiceProfile_ExactID(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		created, err := sm.AddProfile("work", username)
+		require.NoError(t, err)
+
+		got, err := sm.ResolveProfile(created.ID.String(), username)
+		require.NoError(t, err)
+		assert.Equal(t, created.ID, got.ID)
+		assert.Equal(t, "work", got.Name)
+	})
+}
+
+func TestServiceProfile_IDPrefix(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		created, err := sm.AddProfile("work", username)
+		require.NoError(t, err)
+
+		prefix := created.ID[:4]
+		got, err := sm.ResolveProfile(prefix.String(), username)
+		require.NoError(t, err)
+		assert.Equal(t, created.ID, got.ID)
+	})
+}
+
+func TestServiceProfile_AmbiguousPrefix(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		// Plant two profiles whose IDs share a known prefix by writing
+		// the files directly, since generated IDs are random.
+		configDir, err := sm.getConfigDir(username)
+		require.NoError(t, err)
+		for _, id := range []string{"abcd1111aaaa", "abcd2222bbbb"} {
+			path := filepath.Join(configDir, id+".json")
+			require.NoError(t, util.WriteJson(context.Background(), path, &Config{Name: id}))
+		}
+
+		_, err = sm.ResolveProfile("abcd", username)
+		var amb *ErrAmbiguousHandle
+		require.ErrorAs(t, err, &amb)
+		assert.Equal(t, AmbiguityKindIDPrefix, amb.Kind)
+		assert.Len(t, amb.Candidates, 2)
+	})
+}
+
+func TestServiceProfile_ExactNameUnique(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		_, err := sm.AddProfile("work", username)
+		require.NoError(t, err)
+
+		got, err := sm.ResolveProfile("work", username)
+		require.NoError(t, err)
+		assert.Equal(t, "work", got.Name)
+	})
+}
+
+func TestServiceProfile_AmbiguousName(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		_, err := sm.AddProfile("work", username)
+		require.NoError(t, err)
+		_, err = sm.AddProfile("work", username)
+		require.NoError(t, err)
+
+		_, err = sm.ResolveProfile("work", username)
+		var amb *ErrAmbiguousHandle
+		require.ErrorAs(t, err, &amb)
+		assert.Equal(t, AmbiguityKindName, amb.Kind)
+		assert.Len(t, amb.Candidates, 2)
+	})
+}
+
+func TestServiceProfile_NotFound(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		_, err := sm.ResolveProfile("nope", username)
+		assert.ErrorIs(t, err, ErrProfileNotFound)
+	})
+}
+
+func TestServiceProfile_DefaultByExactID(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		got, err := sm.ResolveProfile(defaultProfileName, username)
+		require.NoError(t, err)
+		assert.Equal(t, defaultProfileName, got.ID.String())
+	})
+}
+
+func TestServiceProfile_LegacyFilenameCoexists(t *testing.T) {
+	// Legacy profiles stored as <name>.json with no "name" JSON field
+	// should still be discoverable by name and removable by name.
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		configDir, err := sm.getConfigDir(username)
+		require.NoError(t, err)
+		path := filepath.Join(configDir, "legacy.json")
+		require.NoError(t, util.WriteJson(context.Background(), path, &Config{}))
+
+		got, err := sm.ResolveProfile("legacy", username)
+		require.NoError(t, err)
+		assert.Equal(t, "legacy", got.ID.String())
+		// Name falls back to the filename stem when JSON omits it.
+		assert.Equal(t, "legacy", got.Name)
+	})
+}
+
+func TestAddProfile_AllowsDuplicateWithFlag(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		first, err := sm.AddProfile("work", username)
+		require.NoError(t, err)
+
+		second, err := sm.AddProfile("work", username)
+		require.NoError(t, err)
+		assert.NotEqual(t, first.ID, second.ID)
+		assert.Equal(t, "work", second.Name)
+	})
+}
+
+func TestAddProfile_RejectsInvalidNames(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		cases := []string{
+			"",                                       // empty
+			"\x00\x01",                               // only control chars (becomes empty)
+			strings.Repeat("a", maxProfileNameLen+1), // too long
+		}
+		for _, name := range cases {
+			_, err := sm.AddProfile(name, username)
+			assert.Error(t, err, "expected error for %q", name)
+		}
+	})
+}
+
+func TestRemoveProfile_RejectsInvalidID(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		err := sm.RemoveProfile("../escape", username)
+		assert.Error(t, err)
+	})
+}
+
+func TestSanitizeDisplayName(t *testing.T) {
+	cases := []struct {
+		in      string
+		want    string
+		wantErr bool
+	}{
+		{"work", "work", false},
+		{"My Work Account", "My Work Account", false},
+		{"emoji 🚀 ok", "emoji 🚀 ok", false},
+		{"漢字テスト", "漢字テスト", false},
+		{"with\x00null", "withnull", false},
+		{"\x01\x02\x03", "", true},
+		{"", "", true},
+	}
+	for _, tc := range cases {
+		got, err := sanitizeDisplayName(tc.in)
+		if tc.wantErr {
+			assert.Error(t, err, "case %q", tc.in)
+			continue
+		}
+		assert.NoError(t, err, "case %q", tc.in)
+		assert.Equal(t, tc.want, got, "case %q", tc.in)
+	}
+}
+
+func TestIsValidProfileFilenameStem(t *testing.T) {
+	cases := []struct {
+		in   string
+		want bool
+	}{
+		{"default", true},
+		{"abc123def456", true},
+		{"legacy-name", true},
+		{"legacy_name", true},
+		{"", false},
+		{"..", false},
+		{"../etc", false},
+		{"foo/bar", false},
+		{`foo\bar`, false},
+		{"with space", false},
+		{"with.dot", false},
+		{strings.Repeat("a", maxProfileIDLen+1), false},
+	}
+	for _, tc := range cases {
+		got := IsValidProfileFilenameStem(ID(tc.in))
+		assert.Equal(t, tc.want, got, "case %q", tc.in)
+	}
+}
+
+func TestRemoveProfile_DeletesStateFile(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		created, err := sm.AddProfile("work", username)
+		require.NoError(t, err)
+
+		configDir, err := sm.getConfigDir(username)
+		require.NoError(t, err)
+		statePath := filepath.Join(configDir, created.ID.String()+".state.json")
+		require.NoError(t, os.WriteFile(statePath, []byte(`{"email":"a@b"}`), 0600))
+
+		require.NoError(t, sm.RemoveProfile(created.ID, username))
+		_, err = os.Stat(statePath)
+		assert.True(t, errors.Is(err, os.ErrNotExist), "state file should be removed")
+	})
+}

client/internal/profilemanager/state.go

@@ -13,13 +13,20 @@ type ProfileState struct {
 	Email string `json:"email"`
 }
 
-func (pm *ProfileManager) GetProfileState(profileName string) (*ProfileState, error) {
+// GetProfileState reads the per-profile state file keyed by profile ID.
+// The state file lives in the user's config directory. Legacy state files
+// keyed by the old profile name remain readable.
+func (pm *ProfileManager) GetProfileState(id ID) (*ProfileState, error) {
 	configDir, err := getConfigDir()
 	if err != nil {
 		return nil, fmt.Errorf("get config directory: %w", err)
 	}
 
-	stateFile := filepath.Join(configDir, profileName+".state.json")
+	if id != defaultProfileName && !IsValidProfileFilenameStem(id) {
+		return nil, fmt.Errorf("invalid profile ID: %q", id)
+	}
+
+	stateFile := filepath.Join(configDir, id.String()+".state.json")
 	stateFileExists, err := fileExists(stateFile)
 	if err != nil {
 		return nil, fmt.Errorf("failed to check if profile state file exists: %w", err)
@@ -51,7 +58,12 @@ func (pm *ProfileManager) SetActiveProfileState(state *ProfileState) error {
 		return fmt.Errorf("get active profile: %w", err)
 	}
 
-	stateFile := filepath.Join(configDir, activeProf.Name+".state.json")
+	id := activeProf.ID
+	if id != defaultProfileName && !IsValidProfileFilenameStem(id) {
+		return fmt.Errorf("invalid active profile ID: %q", id)
+	}
+
+	stateFile := filepath.Join(configDir, id.String()+".state.json")
 	err = util.WriteJsonWithRestrictedPermission(context.Background(), stateFile, state)
 	if err != nil {
 		return fmt.Errorf("write profile state: %w", err)

client/internal/routemanager/manager.go

@@ -333,6 +333,8 @@ func (m *DefaultManager) Stop(stateManager *statemanager.Manager) {
 		}
 	}
 
+	m.notifier.Close()
+
 	m.mux.Lock()
 	defer m.mux.Unlock()
 	m.clientRoutes = nil

client/internal/routemanager/notifier/notifier_android.go

@@ -16,7 +16,7 @@ import (
 type Notifier struct {
 	initialRoutes []*route.Route
 	currentRoutes []*route.Route
-	fakeIPRoutes []*route.Route
+	fakeIPRoutes  []*route.Route
 
 	listener    listener.NetworkChangeListener
 	listenerMux sync.Mutex
@@ -119,3 +119,7 @@ func (n *Notifier) GetInitialRouteRanges() []string {
 	sort.Strings(initialStrings)
 	return initialStrings
 }
+
+func (n *Notifier) Close() {
+	// unused
+}

client/internal/routemanager/notifier/notifier_ios.go

@@ -3,6 +3,7 @@
 package notifier
 
 import (
+	"container/list"
 	"net/netip"
 	"slices"
 	"sort"
@@ -14,19 +15,26 @@ import (
 )
 
 type Notifier struct {
+	mu              sync.Mutex
+	cond            *sync.Cond
 	currentPrefixes []string
-
-	listener    listener.NetworkChangeListener
-	listenerMux sync.Mutex
+	listener        listener.NetworkChangeListener
+	queue           *list.List
+	closed          bool
 }
 
 func NewNotifier() *Notifier {
-	return &Notifier{}
+	n := &Notifier{
+		queue: list.New(),
+	}
+	n.cond = sync.NewCond(&n.mu)
+	go n.deliverLoop()
+	return n
 }
 
 func (n *Notifier) SetListener(listener listener.NetworkChangeListener) {
-	n.listenerMux.Lock()
-	defer n.listenerMux.Unlock()
+	n.mu.Lock()
+	defer n.mu.Unlock()
 	n.listener = listener
 }
 
@@ -43,32 +51,52 @@ func (n *Notifier) OnNewRoutes(route.HAMap) {
 }
 
 func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
-	newNets := make([]string, 0)
+	newNets := make([]string, 0, len(prefixes))
 	for _, prefix := range prefixes {
 		newNets = append(newNets, prefix.String())
 	}
 
 	sort.Strings(newNets)
 
+	n.mu.Lock()
 	if slices.Equal(n.currentPrefixes, newNets) {
+		n.mu.Unlock()
 		return
 	}
-
 	n.currentPrefixes = newNets
-	n.notify()
+	routes := strings.Join(n.currentPrefixes, ",")
+	n.queue.PushBack(routes)
+	n.cond.Signal()
+	n.mu.Unlock()
 }
-func (n *Notifier) notify() {
-	n.listenerMux.Lock()
-	defer n.listenerMux.Unlock()
-	if n.listener == nil {
-		return
-	}
 
-	go func(l listener.NetworkChangeListener) {
-		l.OnNetworkChanged(strings.Join(n.currentPrefixes, ","))
-	}(n.listener)
+func (n *Notifier) Close() {
+	n.mu.Lock()
+	n.closed = true
+	n.cond.Signal()
+	n.mu.Unlock()
 }
 
 func (n *Notifier) GetInitialRouteRanges() []string {
 	return nil
 }
+
+func (n *Notifier) deliverLoop() {
+	for {
+		n.mu.Lock()
+		for n.queue.Len() == 0 && !n.closed {
+			n.cond.Wait()
+		}
+		if n.closed && n.queue.Len() == 0 {
+			n.mu.Unlock()
+			return
+		}
+		routes := n.queue.Remove(n.queue.Front()).(string)
+		l := n.listener
+		n.mu.Unlock()
+
+		if l != nil {
+			l.OnNetworkChanged(routes)
+		}
+	}
+}

client/internal/routemanager/notifier/notifier_other.go

@@ -38,3 +38,7 @@ func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
 func (n *Notifier) GetInitialRouteRanges() []string {
 	return []string{}
 }
+
+func (n *Notifier) Close() {
+	// unused
+}

client/mdm/policy.go

@@ -67,6 +67,7 @@ var boolStringLiterals = map[string]bool{
 	"no":    false,
 }
 
+
 // Policy holds MDM-managed settings read from the platform source. A nil or
 // empty Policy means no enforcement is active.
 type Policy struct {

client/mdm/policy_test.go

@@ -31,8 +31,8 @@ func TestPolicy_Empty(t *testing.T) {
 
 func TestPolicy_HasKey(t *testing.T) {
 	p := NewPolicy(map[string]any{
-		KeyManagementURL:   "https://corp.example.com",
-		KeyDisableProfiles: true,
+		KeyManagementURL:    "https://corp.example.com",
+		KeyDisableProfiles:  true,
 	})
 	assert.False(t, p.IsEmpty())
 	assert.True(t, p.HasKey(KeyManagementURL))
@@ -53,8 +53,8 @@ func TestPolicy_ManagedKeysSorted(t *testing.T) {
 func TestPolicy_GetString(t *testing.T) {
 	p := NewPolicy(map[string]any{
 		KeyManagementURL:   "https://corp.example.com",
-		KeyDisableProfiles: true, // wrong type for GetString
-		KeyPreSharedKey:    "",   // empty rejected
+		KeyDisableProfiles: true,            // wrong type for GetString
+		KeyPreSharedKey:        "",              // empty rejected
 	})
 	v, ok := p.GetString(KeyManagementURL)
 	assert.True(t, ok)

client/proto/daemon.proto

@@ -85,6 +85,8 @@ service DaemonService {
 
   rpc AddProfile(AddProfileRequest) returns (AddProfileResponse) {}
 
+  rpc RenameProfile(RenameProfileRequest) returns (RenameProfileResponse) {}
+
   rpc RemoveProfile(RemoveProfileRequest) returns (RemoveProfileResponse) {}
 
   rpc ListProfiles(ListProfilesRequest) returns (ListProfilesResponse) {}
@@ -625,11 +627,18 @@ message GetEventsResponse {
 }
 
 message SwitchProfileRequest {
+  // profileName is treated as a handle: exact ID, unique ID prefix, or
+  // unique display name. The daemon resolves it server-side.
   optional string profileName = 1;
   optional string username = 2;
 }
 
-message SwitchProfileResponse {}
+message SwitchProfileResponse {
+  // id is the resolved on-disk ID of the profile that became active.
+  // Lets CLI clients update their local active-profile state without
+  // duplicating the resolution logic.
+  string id = 1;
+}
 
 message SetConfigRequest {
   string username = 1;
@@ -696,17 +705,42 @@ message SetConfigResponse{}
 
 message AddProfileRequest {
   string username = 1;
+  // profileName carries the human-readable display name for the new
+  // profile. The on-disk filename is a separately-generated ID.
   string profileName = 2;
 }
 
-message AddProfileResponse {}
+message AddProfileResponse {
+  // id is the generated on-disk ID of the new profile. CLI clients
+  // display a truncated form, UI clients can ignore it.
+  string id = 1;
+}
+
+message RenameProfileRequest {
+  string username = 1;
+  // handle: an exact ID, a unique ID prefix, or a unique display name.
+  string handle = 2;
+  // newProfileName is the new human-readable display name for the profile.
+  string newProfileName = 3;
+}
+
+message RenameProfileResponse {
+  // confirm the old profile name after resolving handle.
+  string oldProfileName = 1;
+}
 
 message RemoveProfileRequest {
   string username = 1;
+  // profileName is treated as a handle: an exact ID, a unique ID
+  // prefix, or a unique display name. Resolution happens server-side.
   string profileName = 2;
 }
 
-message RemoveProfileResponse {}
+message RemoveProfileResponse {
+  // id is the full resolved ID of the removed profile, so callers can
+  // confirm exactly which profile a name/prefix handle resolved to.
+  string id = 1;
+}
 
 message ListProfilesRequest {
   string username = 1;
@@ -719,6 +753,7 @@ message ListProfilesResponse {
 message Profile {
   string name = 1;
   bool is_active = 2;
+  string id = 3;
 }
 
 message GetActiveProfileRequest {}
@@ -726,6 +761,7 @@ message GetActiveProfileRequest {}
 message GetActiveProfileResponse {
   string profileName = 1;
   string username = 2;
+  string id = 3;
 }
 
 message LogoutRequest {

client/proto/daemon_grpc.pb.go

@@ -45,6 +45,7 @@ const (
 	DaemonService_SwitchProfile_FullMethodName              = "/daemon.DaemonService/SwitchProfile"
 	DaemonService_SetConfig_FullMethodName                  = "/daemon.DaemonService/SetConfig"
 	DaemonService_AddProfile_FullMethodName                 = "/daemon.DaemonService/AddProfile"
+	DaemonService_RenameProfile_FullMethodName              = "/daemon.DaemonService/RenameProfile"
 	DaemonService_RemoveProfile_FullMethodName              = "/daemon.DaemonService/RemoveProfile"
 	DaemonService_ListProfiles_FullMethodName               = "/daemon.DaemonService/ListProfiles"
 	DaemonService_GetActiveProfile_FullMethodName           = "/daemon.DaemonService/GetActiveProfile"
@@ -112,6 +113,7 @@ type DaemonServiceClient interface {
 	SwitchProfile(ctx context.Context, in *SwitchProfileRequest, opts ...grpc.CallOption) (*SwitchProfileResponse, error)
 	SetConfig(ctx context.Context, in *SetConfigRequest, opts ...grpc.CallOption) (*SetConfigResponse, error)
 	AddProfile(ctx context.Context, in *AddProfileRequest, opts ...grpc.CallOption) (*AddProfileResponse, error)
+	RenameProfile(ctx context.Context, in *RenameProfileRequest, opts ...grpc.CallOption) (*RenameProfileResponse, error)
 	RemoveProfile(ctx context.Context, in *RemoveProfileRequest, opts ...grpc.CallOption) (*RemoveProfileResponse, error)
 	ListProfiles(ctx context.Context, in *ListProfilesRequest, opts ...grpc.CallOption) (*ListProfilesResponse, error)
 	GetActiveProfile(ctx context.Context, in *GetActiveProfileRequest, opts ...grpc.CallOption) (*GetActiveProfileResponse, error)
@@ -422,6 +424,16 @@ func (c *daemonServiceClient) AddProfile(ctx context.Context, in *AddProfileRequ
 	return out, nil
 }
 
+func (c *daemonServiceClient) RenameProfile(ctx context.Context, in *RenameProfileRequest, opts ...grpc.CallOption) (*RenameProfileResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(RenameProfileResponse)
+	err := c.cc.Invoke(ctx, DaemonService_RenameProfile_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *daemonServiceClient) RemoveProfile(ctx context.Context, in *RemoveProfileRequest, opts ...grpc.CallOption) (*RemoveProfileResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(RemoveProfileResponse)
@@ -613,6 +625,7 @@ type DaemonServiceServer interface {
 	SwitchProfile(context.Context, *SwitchProfileRequest) (*SwitchProfileResponse, error)
 	SetConfig(context.Context, *SetConfigRequest) (*SetConfigResponse, error)
 	AddProfile(context.Context, *AddProfileRequest) (*AddProfileResponse, error)
+	RenameProfile(context.Context, *RenameProfileRequest) (*RenameProfileResponse, error)
 	RemoveProfile(context.Context, *RemoveProfileRequest) (*RemoveProfileResponse, error)
 	ListProfiles(context.Context, *ListProfilesRequest) (*ListProfilesResponse, error)
 	GetActiveProfile(context.Context, *GetActiveProfileRequest) (*GetActiveProfileResponse, error)
@@ -723,6 +736,9 @@ func (UnimplementedDaemonServiceServer) SetConfig(context.Context, *SetConfigReq
 func (UnimplementedDaemonServiceServer) AddProfile(context.Context, *AddProfileRequest) (*AddProfileResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method AddProfile not implemented")
 }
+func (UnimplementedDaemonServiceServer) RenameProfile(context.Context, *RenameProfileRequest) (*RenameProfileResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method RenameProfile not implemented")
+}
 func (UnimplementedDaemonServiceServer) RemoveProfile(context.Context, *RemoveProfileRequest) (*RemoveProfileResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method RemoveProfile not implemented")
 }
@@ -1237,6 +1253,24 @@ func _DaemonService_AddProfile_Handler(srv interface{}, ctx context.Context, dec
 	return interceptor(ctx, in, info, handler)
 }
 
+func _DaemonService_RenameProfile_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RenameProfileRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).RenameProfile(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: DaemonService_RenameProfile_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).RenameProfile(ctx, req.(*RenameProfileRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _DaemonService_RemoveProfile_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(RemoveProfileRequest)
 	if err := dec(in); err != nil {
@@ -1567,6 +1601,10 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "AddProfile",
 			Handler:    _DaemonService_AddProfile_Handler,
 		},
+		{
+			MethodName: "RenameProfile",
+			Handler:    _DaemonService_RenameProfile_Handler,
+		},
 		{
 			MethodName: "RemoveProfile",
 			Handler:    _DaemonService_RemoveProfile_Handler,

client/server/login_overrides_test.go

@@ -79,7 +79,7 @@ func TestPersistLoginOverrides(t *testing.T) {
 			_, err := profilemanager.UpdateOrCreateConfig(seed)
 			require.NoError(t, err, "seed config")
 
-			activeProf := &profilemanager.ActiveProfileState{Name: "default"}
+			activeProf := &profilemanager.ActiveProfileState{ID: "default"}
 			err = persistLoginOverrides(activeProf, tt.newMgmtURL, tt.newPSK)
 			require.NoError(t, err, "persistLoginOverrides")
 

client/server/server.go

@@ -375,7 +375,7 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 		return nil, err
 	}
 
-	config, err := setConfigInputFromRequest(msg)
+	config, err := s.setConfigInputFromRequest(msg)
 	if err != nil {
 		return nil, err
 	}
@@ -398,17 +398,17 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 // field is its own optional case. Returns the resolved ConfigInput
 // and a non-nil error only when the active profile file path cannot
 // be determined.
-func setConfigInputFromRequest(msg *proto.SetConfigRequest) (profilemanager.ConfigInput, error) {
+func (s *Server) setConfigInputFromRequest(msg *proto.SetConfigRequest) (profilemanager.ConfigInput, error) {
 	var config profilemanager.ConfigInput
 
-	profState := profilemanager.ActiveProfileState{
-		Name:     msg.ProfileName,
-		Username: msg.Username,
-	}
-	profPath, err := profState.FilePath()
+	resolved, err := s.resolveProfileHandle(msg.ProfileName, msg.Username)
 	if err != nil {
-		log.Errorf("failed to get active profile file path: %v", err)
-		return config, fmt.Errorf("failed to get active profile file path: %w", err)
+		log.Errorf("failed to resolve profile %q: %v", msg.ProfileName, err)
+		return config, err
+	}
+	profPath := resolved.Path
+	if profPath == "" {
+		profPath = profilemanager.DefaultConfigPath
 	}
 	config.ConfigPath = profPath
 
@@ -535,30 +535,9 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 	}
 
 	if msg.ProfileName != nil {
-		if *msg.ProfileName != "default" && (msg.Username == nil || *msg.Username == "") {
-			log.Errorf("profile name is set to %s, but username is not provided", *msg.ProfileName)
-			return nil, fmt.Errorf("profile name is set to %s, but username is not provided", *msg.ProfileName)
-		}
-
-		var username string
-		if *msg.ProfileName != "default" {
-			username = *msg.Username
-		}
-
-		if *msg.ProfileName != activeProf.Name && username != activeProf.Username {
-			if s.checkProfilesDisabled() {
-				log.Errorf("profiles are disabled, you cannot use this feature without profiles enabled")
-				return nil, gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
-			}
-
-			log.Infof("switching to profile %s for user '%s'", *msg.ProfileName, username)
-			if err := s.profileManager.SetActiveProfileState(&profilemanager.ActiveProfileState{
-				Name:     *msg.ProfileName,
-				Username: username,
-			}); err != nil {
-				log.Errorf("failed to set active profile state: %v", err)
-				return nil, fmt.Errorf("failed to set active profile state: %w", err)
-			}
+		if _, err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
+			log.Errorf("failed to switch profile: %v", err)
+			return nil, err
 		}
 	}
 
@@ -568,7 +547,7 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 		return nil, fmt.Errorf("failed to get active profile state: %w", err)
 	}
 
-	log.Infof("active profile: %s for %s", activeProf.Name, activeProf.Username)
+	log.Infof("active profile: %s for %s", activeProf.ID, activeProf.Username)
 
 	s.mutex.Lock()
 
@@ -806,10 +785,10 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 	}
 
 	if msg != nil && msg.ProfileName != nil {
-		if err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
+		if _, err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
 			s.mutex.Unlock()
 			log.Errorf("failed to switch profile: %v", err)
-			return nil, fmt.Errorf("failed to switch profile: %w", err)
+			return nil, err
 		}
 	}
 
@@ -820,7 +799,7 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 		return nil, fmt.Errorf("failed to get active profile state: %w", err)
 	}
 
-	log.Infof("active profile: %s for %s", activeProf.Name, activeProf.Username)
+	log.Infof("active profile: %s for %s", activeProf.ID, activeProf.Username)
 
 	config, _, err := s.getConfig(activeProf)
 	if err != nil {
@@ -864,34 +843,60 @@ func (s *Server) waitForUp(callerCtx context.Context) (*proto.UpResponse, error)
 	}
 }
 
-func (s *Server) switchProfileIfNeeded(profileName string, userName *string, activeProf *profilemanager.ActiveProfileState) error {
-	if profileName != "default" && (userName == nil || *userName == "") {
-		log.Errorf("profile name is set to %s, but username is not provided", profileName)
-		return fmt.Errorf("profile name is set to %s, but username is not provided", profileName)
+// resolveProfileHandle resolves a wire-level profile handle (display
+// name, ID, or unique ID prefix) to a concrete profile. Returns gRPC
+// status errors so handlers can return them directly.
+func (s *Server) resolveProfileHandle(handle, username string) (*profilemanager.Profile, error) {
+	p, err := s.profileManager.ResolveProfile(handle, username)
+	if err == nil {
+		return p, nil
+	}
+	var amb *profilemanager.ErrAmbiguousHandle
+	if errors.As(err, &amb) {
+		return nil, gstatus.Errorf(codes.InvalidArgument, "%v", amb)
+	}
+	if errors.Is(err, profilemanager.ErrProfileNotFound) {
+		return nil, gstatus.Errorf(codes.NotFound, "profile %q not found", handle)
+	}
+	return nil, fmt.Errorf("resolve profile: %w", err)
+}
+
+// switchProfileIfNeeded resolves the user-supplied handle, updates the
+// active profile state if it differs from the current one, and returns
+// the resolved profile so callers can include its ID in RPC responses.
+func (s *Server) switchProfileIfNeeded(handle string, userName *string, activeProf *profilemanager.ActiveProfileState) (*profilemanager.Profile, error) {
+	if handle != profilemanager.DefaultProfileName && (userName == nil || *userName == "") {
+		log.Errorf("profile name is set to %s, but username is not provided", handle)
+		return nil, fmt.Errorf("profile name is set to %s, but username is not provided", handle)
 	}
 
 	var username string
-	if profileName != "default" {
+	if handle != profilemanager.DefaultProfileName {
 		username = *userName
 	}
 
-	if profileName != activeProf.Name || username != activeProf.Username {
+	resolved, err := s.resolveProfileHandle(handle, username)
+	if err != nil {
+		return nil, err
+	}
+
+	if resolved.ID != activeProf.ID || username != activeProf.Username {
 		if s.checkProfilesDisabled() {
 			log.Errorf("profiles are disabled, you cannot use this feature without profiles enabled")
-			return gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
+			return nil, gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
 		}
 
-		log.Infof("switching to profile %s for user %s", profileName, username)
+		log.Infof("switching to profile %s (%s) for user %s", resolved.Name, resolved.ID, username)
 		if err := s.profileManager.SetActiveProfileState(&profilemanager.ActiveProfileState{
-			Name:     profileName,
+			ID:       resolved.ID,
 			Username: username,
 		}); err != nil {
 			log.Errorf("failed to set active profile state: %v", err)
-			return fmt.Errorf("failed to set active profile state: %w", err)
+			return nil, fmt.Errorf("failed to set active profile state: %w", err)
 		}
 	}
 
-	return nil
+	return resolved, nil
 }
 
 // SwitchProfile switches the active profile in the daemon.
@@ -906,9 +911,9 @@ func (s *Server) SwitchProfile(callerCtx context.Context, msg *proto.SwitchProfi
 	}
 
 	if msg != nil && msg.ProfileName != nil {
-		if err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
+		if _, err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
 			log.Errorf("failed to switch profile: %v", err)
-			return nil, fmt.Errorf("failed to switch profile: %w", err)
+			return nil, err
 		}
 	}
 	activeProf, err = s.profileManager.GetActiveProfileState()
@@ -924,7 +929,7 @@ func (s *Server) SwitchProfile(callerCtx context.Context, msg *proto.SwitchProfi
 
 	s.config = config
 
-	return &proto.SwitchProfileResponse{}, nil
+	return &proto.SwitchProfileResponse{Id: activeProf.ID.String()}, nil
 }
 
 // Down engine work in the daemon.
@@ -1014,22 +1019,27 @@ func (s *Server) Logout(ctx context.Context, msg *proto.LogoutRequest) (*proto.L
 }
 
 func (s *Server) handleProfileLogout(ctx context.Context, msg *proto.LogoutRequest) (*proto.LogoutResponse, error) {
-	if err := s.validateProfileOperation(*msg.ProfileName, true); err != nil {
-		return nil, err
-	}
-
 	if msg.Username == nil || *msg.Username == "" {
 		return nil, gstatus.Errorf(codes.InvalidArgument, "username must be provided when profile name is specified")
 	}
 	username := *msg.Username
 
-	if err := s.logoutFromProfile(ctx, *msg.ProfileName, username); err != nil {
-		log.Errorf("failed to logout from profile %s: %v", *msg.ProfileName, err)
+	resolved, err := s.resolveProfileHandle(*msg.ProfileName, username)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := s.validateProfileOperation(resolved.ID, true); err != nil {
+		return nil, err
+	}
+
+	if err := s.logoutFromProfile(ctx, resolved); err != nil {
+		log.Errorf("failed to logout from profile %s: %v", resolved.ID, err)
 		return nil, gstatus.Errorf(codes.Internal, "logout: %v", err)
 	}
 
 	activeProf, _ := s.profileManager.GetActiveProfileState()
-	if activeProf != nil && activeProf.Name == *msg.ProfileName {
+	if activeProf != nil && activeProf.ID == resolved.ID {
 		if err := s.cleanupConnection(); err != nil && !errors.Is(err, ErrServiceNotUp) {
 			log.Errorf("failed to cleanup connection: %v", err)
 		}
@@ -1091,30 +1101,30 @@ func (s *Server) getConfig(activeProf *profilemanager.ActiveProfileState) (*prof
 	return config, configExisted, nil
 }
 
-func (s *Server) canRemoveProfile(profileName string) error {
-	if profileName == profilemanager.DefaultProfileName {
+func (s *Server) canRemoveProfile(id profilemanager.ID) error {
+	if id == profilemanager.DefaultProfileName {
 		return fmt.Errorf("remove profile with reserved name: %s", profilemanager.DefaultProfileName)
 	}
 
 	activeProf, err := s.profileManager.GetActiveProfileState()
-	if err == nil && activeProf.Name == profileName {
-		return fmt.Errorf("remove active profile: %s", profileName)
+	if err == nil && activeProf.ID == id {
+		return fmt.Errorf("remove active profile: %s", id)
 	}
 
 	return nil
 }
 
-func (s *Server) validateProfileOperation(profileName string, allowActiveProfile bool) error {
+func (s *Server) validateProfileOperation(id profilemanager.ID, allowActiveProfile bool) error {
 	if s.checkProfilesDisabled() {
 		return gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
 	}
 
-	if profileName == "" {
+	if id == "" {
 		return gstatus.Errorf(codes.InvalidArgument, "profile name must be provided")
 	}
 
 	if !allowActiveProfile {
-		if err := s.canRemoveProfile(profileName); err != nil {
+		if err := s.canRemoveProfile(id); err != nil {
 			return gstatus.Errorf(codes.InvalidArgument, "%v", err)
 		}
 	}
@@ -1122,25 +1132,20 @@ func (s *Server) validateProfileOperation(profileName string, allowActiveProfile
 	return nil
 }
 
-// logoutFromProfile logs out from a specific profile by loading its config and sending logout request
-func (s *Server) logoutFromProfile(ctx context.Context, profileName, username string) error {
+func (s *Server) logoutFromProfile(ctx context.Context, profile *profilemanager.Profile) error {
 	activeProf, err := s.profileManager.GetActiveProfileState()
-	if err == nil && activeProf.Name == profileName && s.connectClient != nil {
+	if err == nil && activeProf.ID == profile.ID && s.connectClient != nil {
 		return s.sendLogoutRequest(ctx)
 	}
 
-	profileState := &profilemanager.ActiveProfileState{
-		Name:     profileName,
-		Username: username,
-	}
-	profilePath, err := profileState.FilePath()
-	if err != nil {
-		return fmt.Errorf("get profile path: %w", err)
+	cfgPath := profile.Path
+	if cfgPath == "" {
+		cfgPath = profilemanager.DefaultConfigPath
 	}
 
-	config, err := profilemanager.GetConfig(profilePath)
+	config, err := profilemanager.GetConfig(cfgPath)
 	if err != nil {
-		return fmt.Errorf("profile '%s' not found", profileName)
+		return fmt.Errorf("profile '%s' not found", profile.ID)
 	}
 
 	return s.sendLogoutRequestWithConfig(ctx, config)
@@ -1558,15 +1563,14 @@ func (s *Server) GetConfig(ctx context.Context, req *proto.GetConfigRequest) (*p
 		return nil, ctx.Err()
 	}
 
-	prof := profilemanager.ActiveProfileState{
-		Name:     req.ProfileName,
-		Username: req.Username,
-	}
-
-	cfgPath, err := prof.FilePath()
+	resolved, err := s.resolveProfileHandle(req.ProfileName, req.Username)
 	if err != nil {
-		log.Errorf("failed to get active profile file path: %v", err)
-		return nil, fmt.Errorf("failed to get active profile file path: %w", err)
+		log.Errorf("failed to resolve profile %q: %v", req.ProfileName, err)
+		return nil, err
+	}
+	cfgPath := resolved.Path
+	if cfgPath == "" {
+		cfgPath = profilemanager.DefaultConfigPath
 	}
 
 	cfg, err := profilemanager.GetConfig(cfgPath)
@@ -1671,12 +1675,39 @@ func (s *Server) AddProfile(ctx context.Context, msg *proto.AddProfileRequest) (
 		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name and username must be provided")
 	}
 
-	if err := s.profileManager.AddProfile(msg.ProfileName, msg.Username); err != nil {
+	created, err := s.profileManager.AddProfile(msg.ProfileName, msg.Username)
+	if err != nil {
 		log.Errorf("failed to create profile: %v", err)
 		return nil, fmt.Errorf("failed to create profile: %w", err)
 	}
 
-	return &proto.AddProfileResponse{}, nil
+	return &proto.AddProfileResponse{Id: created.ID.String()}, nil
+}
+
+func (s *Server) RenameProfile(ctx context.Context, msg *proto.RenameProfileRequest) (*proto.RenameProfileResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	if s.checkProfilesDisabled() {
+		return nil, gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
+	}
+
+	if msg.Handle == "" || msg.Username == "" || msg.NewProfileName == "" {
+		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name, username and new profile name must be provided")
+	}
+
+	resolved, err := s.resolveProfileHandle(msg.Handle, msg.Username)
+	if err != nil {
+		return nil, err
+	}
+
+	err = s.profileManager.RenameProfile(resolved.ID, msg.Username, msg.NewProfileName)
+	if err != nil {
+		log.Errorf("failed to rename profile: %v", err)
+		return nil, fmt.Errorf("failed to rename profile: %w", err)
+	}
+
+	return &proto.RenameProfileResponse{OldProfileName: resolved.Name}, nil
 }
 
 // RemoveProfile removes a profile from the daemon.
@@ -1684,20 +1715,29 @@ func (s *Server) RemoveProfile(ctx context.Context, msg *proto.RemoveProfileRequ
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	if err := s.validateProfileOperation(msg.ProfileName, false); err != nil {
+	if s.checkProfilesDisabled() {
+		return nil, gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
+	}
+
+	if msg.ProfileName == "" {
+		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name must be provided")
+	}
+
+	resolved, err := s.resolveProfileHandle(msg.ProfileName, msg.Username)
+	if err != nil {
 		return nil, err
 	}
 
-	if err := s.logoutFromProfile(ctx, msg.ProfileName, msg.Username); err != nil {
-		log.Warnf("failed to logout from profile %s before removal: %v", msg.ProfileName, err)
+	if err := s.logoutFromProfile(ctx, resolved); err != nil {
+		log.Warnf("failed to logout from profile %s before removal: %v", resolved.ID, err)
 	}
 
-	if err := s.profileManager.RemoveProfile(msg.ProfileName, msg.Username); err != nil {
+	if err := s.profileManager.RemoveProfile(resolved.ID, msg.Username); err != nil {
 		log.Errorf("failed to remove profile: %v", err)
 		return nil, fmt.Errorf("failed to remove profile: %w", err)
 	}
 
-	return &proto.RemoveProfileResponse{}, nil
+	return &proto.RemoveProfileResponse{Id: resolved.ID.String()}, nil
 }
 
 // ListProfiles lists all profiles in the daemon.
@@ -1720,6 +1760,7 @@ func (s *Server) ListProfiles(ctx context.Context, msg *proto.ListProfilesReques
 	}
 	for i, profile := range profiles {
 		response.Profiles[i] = &proto.Profile{
+			Id:       profile.ID.String(),
 			Name:     profile.Name,
 			IsActive: profile.IsActive,
 		}
@@ -1728,7 +1769,9 @@ func (s *Server) ListProfiles(ctx context.Context, msg *proto.ListProfilesReques
 	return response, nil
 }
 
-// GetActiveProfile returns the active profile in the daemon.
+// GetActiveProfile returns the active profile in the daemon. The ProfileName
+// field carries the display name for backwards compatibility with UI clients,
+// new callers should prefer Id.
 func (s *Server) GetActiveProfile(ctx context.Context, msg *proto.GetActiveProfileRequest) (*proto.GetActiveProfileResponse, error) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
@@ -1739,9 +1782,23 @@ func (s *Server) GetActiveProfile(ctx context.Context, msg *proto.GetActiveProfi
 		return nil, fmt.Errorf("failed to get active profile state: %w", err)
 	}
 
+	// Fallback to legacy name == ID
+	displayName := activeProfile.ID.String()
+	if activeProfile.ID != profilemanager.DefaultProfileName {
+		if profiles, lerr := s.profileManager.ListProfiles(activeProfile.Username); lerr == nil {
+			for _, p := range profiles {
+				if p.ID == activeProfile.ID {
+					displayName = p.Name
+					break
+				}
+			}
+		}
+	}
+
 	return &proto.GetActiveProfileResponse{
-		ProfileName: activeProfile.Name,
+		ProfileName: displayName,
 		Username:    activeProfile.Username,
+		Id:          activeProfile.ID.String(),
 	}, nil
 }
 

client/server/server_test.go

@@ -97,7 +97,7 @@ func TestConnectWithRetryRuns(t *testing.T) {
 
 	pm := profilemanager.ServiceManager{}
 	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		Name:     "test-profile",
+		ID:       "test-profile",
 		Username: currUser.Username,
 	})
 	if err != nil {
@@ -158,7 +158,7 @@ func TestServer_Up(t *testing.T) {
 
 	pm := profilemanager.ServiceManager{}
 	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		Name:     profName,
+		ID:       profilemanager.ID(profName),
 		Username: currUser.Username,
 	})
 	if err != nil {
@@ -228,7 +228,7 @@ func TestServer_SubcribeEvents(t *testing.T) {
 
 	pm := profilemanager.ServiceManager{}
 	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		Name:     "default",
+		ID:       "default",
 		Username: currUser.Username,
 	})
 	if err != nil {

client/server/setconfig_mdm_test.go

@@ -62,7 +62,7 @@ func setupServerWithProfile(t *testing.T) (s *Server, ctx context.Context, profN
 
 	pm := profilemanager.ServiceManager{}
 	require.NoError(t, pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		Name:     profName,
+		ID:       profilemanager.ID(profName),
 		Username: currUser.Username,
 	}))
 

client/server/setconfig_test.go

@@ -47,7 +47,7 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 
 	pm := profilemanager.ServiceManager{}
 	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		Name:     profName,
+		ID:       profilemanager.ID(profName),
 		Username: currUser.Username,
 	})
 	require.NoError(t, err)
@@ -96,7 +96,7 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 		DisableNotifications:  &disableNotifications,
 		LazyConnectionEnabled: &lazyConnectionEnabled,
 		BlockInbound:          &blockInbound,
-		DisableIpv6:          &disableIPv6,
+		DisableIpv6:           &disableIPv6,
 		NatExternalIPs:        []string{"1.2.3.4", "5.6.7.8"},
 		CleanNATExternalIPs:   false,
 		CustomDNSAddress:      []byte("1.1.1.1:53"),
@@ -112,7 +112,7 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 	require.NoError(t, err)
 
 	profState := profilemanager.ActiveProfileState{
-		Name:     profName,
+		ID:       profilemanager.ID(profName),
 		Username: currUser.Username,
 	}
 	cfgPath, err := profState.FilePath()

client/ui/client_ui.go

@@ -336,11 +336,11 @@ type serviceClient struct {
 	// mNetworks + mExitNode submenu items. Combines features.DisableNetworks
 	// AND s.connected — both must be true for the menus to be active.
 	// Zero value (false) matches the Disable() call at AddMenuItem time.
-	networksMenuEnabled bool
-	showNetworks        bool
-	wNetworks           fyne.Window
-	wProfiles           fyne.Window
-	wQuickActions       fyne.Window
+	networksMenuEnabled  bool
+	showNetworks         bool
+	wNetworks            fyne.Window
+	wProfiles            fyne.Window
+	wQuickActions        fyne.Window
 
 	eventManager *event.Manager
 
@@ -645,7 +645,7 @@ func (s *serviceClient) buildSetConfigRequest(iMngURL string, port, mtu int64) (
 	}
 
 	req := &proto.SetConfigRequest{
-		ProfileName: activeProf.Name,
+		ProfileName: activeProf.ID.String(),
 		Username:    currUser.Username,
 	}
 
@@ -818,13 +818,15 @@ func (s *serviceClient) login(ctx context.Context, openURL bool) (*proto.LoginRe
 		return nil, fmt.Errorf("get current user: %w", err)
 	}
 
+	handle := activeProf.ID.String()
+
 	loginReq := &proto.LoginRequest{
 		IsUnixDesktopClient: runtime.GOOS == "linux" || runtime.GOOS == "freebsd",
-		ProfileName:         &activeProf.Name,
+		ProfileName:         &handle,
 		Username:            &currUser.Username,
 	}
 
-	profileState, err := s.profileManager.GetProfileState(activeProf.Name)
+	profileState, err := s.profileManager.GetProfileState(activeProf.ID)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
@@ -1367,7 +1369,7 @@ func (s *serviceClient) getSrvConfig() {
 	}
 
 	srvCfg, err := conn.GetConfig(s.ctx, &proto.GetConfigRequest{
-		ProfileName: activeProf.Name,
+		ProfileName: activeProf.ID.String(),
 		Username:    currUser.Username,
 	})
 	if err != nil {
@@ -1613,7 +1615,7 @@ func (s *serviceClient) loadSettings() {
 	}
 
 	cfg, err := conn.GetConfig(s.ctx, &proto.GetConfigRequest{
-		ProfileName: activeProf.Name,
+		ProfileName: activeProf.ID.String(),
 		Username:    currUser.Username,
 	})
 	if err != nil {
@@ -1813,7 +1815,7 @@ func (s *serviceClient) updateConfig() error {
 	}
 
 	req := proto.SetConfigRequest{
-		ProfileName:           activeProf.Name,
+		ProfileName:           activeProf.ID.String(),
 		Username:              currUser.Username,
 		DisableAutoConnect:    &disableAutoStart,
 		ServerSSHAllowed:      &sshAllowed,

client/ui/profile.go

@@ -66,7 +66,7 @@ func (s *serviceClient) showProfilesUI() {
 			} else {
 				indicator.SetText("")
 			}
-			nameLabel.SetText(profile.Name)
+			nameLabel.SetText(formatProfileLabel(profile, profiles))
 
 			// Configure Select/Active button
 			selectBtn.SetText(func() string {
@@ -88,7 +88,7 @@ func (s *serviceClient) showProfilesUI() {
 							return
 						}
 						// switch
-						err = s.switchProfile(profile.Name)
+						err = s.switchProfile(profile.ID)
 						if err != nil {
 							log.Errorf("failed to switch profile: %v", err)
 							dialog.ShowError(errors.New("failed to select profile"), s.wProfiles)
@@ -130,7 +130,7 @@ func (s *serviceClient) showProfilesUI() {
 			logoutBtn.Show()
 			logoutBtn.SetText("Deregister")
 			logoutBtn.OnTapped = func() {
-				s.handleProfileLogout(profile.Name, refresh)
+				s.handleProfileLogout(profile, refresh)
 			}
 
 			// Remove profile
@@ -144,7 +144,7 @@ func (s *serviceClient) showProfilesUI() {
 							return
 						}
 
-						err = s.removeProfile(profile.Name)
+						err = s.removeProfile(profile.ID)
 						if err != nil {
 							log.Errorf("failed to remove profile: %v", err)
 							dialog.ShowError(fmt.Errorf("failed to remove profile"), s.wProfiles)
@@ -250,7 +250,7 @@ func (s *serviceClient) addProfile(profileName string) error {
 	return nil
 }
 
-func (s *serviceClient) switchProfile(profileName string) error {
+func (s *serviceClient) switchProfile(handle string) error {
 	conn, err := s.getSrvClient(defaultFailTimeout)
 	if err != nil {
 		return fmt.Errorf(getClientFMT, err)
@@ -261,15 +261,15 @@ func (s *serviceClient) switchProfile(profileName string) error {
 		return fmt.Errorf("get current user: %w", err)
 	}
 
-	if _, err := conn.SwitchProfile(s.ctx, &proto.SwitchProfileRequest{
-		ProfileName: &profileName,
+	resp, err := conn.SwitchProfile(s.ctx, &proto.SwitchProfileRequest{
+		ProfileName: &handle,
 		Username:    &currUser.Username,
-	}); err != nil {
+	})
+	if err != nil {
 		return fmt.Errorf("switch profile failed: %w", err)
 	}
 
-	err = s.profileManager.SwitchProfile(profileName)
-	if err != nil {
+	if err := s.profileManager.SwitchProfile(profilemanager.ID(resp.Id)); err != nil {
 		return fmt.Errorf("switch profile: %w", err)
 	}
 
@@ -299,10 +299,27 @@ func (s *serviceClient) removeProfile(profileName string) error {
 }
 
 type Profile struct {
+	ID       string
 	Name     string
 	IsActive bool
 }
 
+// formatProfileLabel returns the display label for a profile. Profiles can
+// share the same Name, so when more than one profile in profiles carries this
+// Name, a short form of the ID is appended to disambiguate the entries.
+func formatProfileLabel(profile Profile, profiles []Profile) string {
+	count := 0
+	for _, p := range profiles {
+		if p.Name == profile.Name {
+			count++
+		}
+	}
+	if count <= 1 {
+		return profile.Name
+	}
+	return fmt.Sprintf("%s (%s)", profile.Name, profilemanager.ID(profile.ID).ShortID())
+}
+
 func (s *serviceClient) getProfiles() ([]Profile, error) {
 	conn, err := s.getSrvClient(defaultFailTimeout)
 	if err != nil {
@@ -324,6 +341,7 @@ func (s *serviceClient) getProfiles() ([]Profile, error) {
 
 	for _, profile := range profilesResp.Profiles {
 		profiles = append(profiles, Profile{
+			ID:       profile.Id,
 			Name:     profile.Name,
 			IsActive: profile.IsActive,
 		})
@@ -332,10 +350,10 @@ func (s *serviceClient) getProfiles() ([]Profile, error) {
 	return profiles, nil
 }
 
-func (s *serviceClient) handleProfileLogout(profileName string, refreshCallback func()) {
+func (s *serviceClient) handleProfileLogout(profile Profile, refreshCallback func()) {
 	dialog.ShowConfirm(
 		"Deregister",
-		fmt.Sprintf("Are you sure you want to deregister from '%s'?", profileName),
+		fmt.Sprintf("Are you sure you want to deregister from '%s'?", profile.Name),
 		func(confirm bool) {
 			if !confirm {
 				return
@@ -356,8 +374,10 @@ func (s *serviceClient) handleProfileLogout(profileName string, refreshCallback
 			}
 
 			username := currUser.Username
+			// ProfileName is treated as a handle; send the ID so the
+			// daemon resolves to exactly this profile.
 			_, err = conn.Logout(s.ctx, &proto.LogoutRequest{
-				ProfileName: &profileName,
+				ProfileName: &profile.ID,
 				Username:    &username,
 			})
 			if err != nil {
@@ -368,7 +388,7 @@ func (s *serviceClient) handleProfileLogout(profileName string, refreshCallback
 
 			dialog.ShowInformation(
 				"Deregistered",
-				fmt.Sprintf("Successfully deregistered from '%s'", profileName),
+				fmt.Sprintf("Successfully deregistered from '%s'", profile.Name),
 				s.wProfiles,
 			)
 
@@ -461,6 +481,7 @@ func (p *profileMenu) getProfiles() ([]Profile, error) {
 
 	for _, profile := range profilesResp.Profiles {
 		profiles = append(profiles, Profile{
+			ID:       profile.Id,
 			Name:     profile.Name,
 			IsActive: profile.IsActive,
 		})
@@ -501,7 +522,7 @@ func (p *profileMenu) refresh() {
 	}
 
 	if activeProf.ProfileName == "default" || activeProf.Username == currUser.Username {
-		activeProfState, err := p.profileManager.GetProfileState(activeProf.ProfileName)
+		activeProfState, err := p.profileManager.GetProfileState(profilemanager.ID(activeProf.Id))
 		if err != nil {
 			log.Warnf("failed to get active profile state: %v", err)
 			p.emailMenuItem.Hide()
@@ -512,7 +533,7 @@ func (p *profileMenu) refresh() {
 	}
 
 	for _, profile := range profiles {
-		item := p.profileMenuItem.AddSubMenuItem(profile.Name, "")
+		item := p.profileMenuItem.AddSubMenuItem(formatProfileLabel(profile, profiles), "")
 		if profile.IsActive {
 			item.Check()
 		}
@@ -541,8 +562,8 @@ func (p *profileMenu) refresh() {
 						return
 					}
 
-					_, err = conn.SwitchProfile(ctx, &proto.SwitchProfileRequest{
-						ProfileName: &profile.Name,
+					switchResp, err := conn.SwitchProfile(ctx, &proto.SwitchProfileRequest{
+						ProfileName: &profile.ID,
 						Username:    &currUser.Username,
 					})
 					if err != nil {
@@ -552,7 +573,7 @@ func (p *profileMenu) refresh() {
 						return
 					}
 
-					err = p.profileManager.SwitchProfile(profile.Name)
+					err = p.profileManager.SwitchProfile(profilemanager.ID(switchResp.Id))
 					if err != nil {
 						log.Errorf("failed to switch profile '%s': %v", profile.Name, err)
 						return
@@ -727,7 +748,10 @@ func (p *profileMenu) updateMenu() {
 			}
 
 			sort.Slice(profiles, func(i, j int) bool {
-				return profiles[i].Name < profiles[j].Name
+				if profiles[i].Name != profiles[j].Name {
+					return profiles[i].Name < profiles[j].Name
+				}
+				return profiles[i].ID < profiles[j].ID
 			})
 
 			p.mu.Lock()

combined/Dockerfile

@@ -2,4 +2,5 @@ FROM ubuntu:24.04
 RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
 ENTRYPOINT [ "/go/bin/netbird-server" ]
 CMD ["--config", "/etc/netbird/config.yaml"]
-COPY netbird-server /go/bin/netbird-server
+ARG TARGETPLATFORM
+COPY ${TARGETPLATFORM}/netbird-server /go/bin/netbird-server

dns/nameserver.go

@@ -53,9 +53,6 @@ type NameServerGroup struct {
 	ID string `gorm:"primaryKey"`
 	// AccountID is a reference to Account that this object belongs
 	AccountID string `gorm:"index"`
-	// AccountSeqID is a per-account monotonically increasing identifier used as the
-	// compact wire id when sending NetworkMap components to capable peers.
-	AccountSeqID uint32 `json:"-" gorm:"index:idx_nameserver_groups_account_seq_id;not null;default:0"`
 	// Name group name
 	Name string
 	// Description group description

idp/dex/config.go

@@ -308,7 +308,7 @@ func (s *Storage) OpenStorage(logger *slog.Logger) (storage.Storage, error) {
 		if file == "" {
 			return nil, fmt.Errorf("sqlite3 storage requires 'file' config")
 		}
-		return newSQLite3(file).Open(logger)
+		return (&sql.SQLite3{File: file}).Open(logger)
 	case "postgres":
 		dsn, _ := s.Config["dsn"].(string)
 		if dsn == "" {

idp/dex/provider.go

@@ -20,6 +20,7 @@ import (
 	"github.com/dexidp/dex/server"
 	"github.com/dexidp/dex/server/signer"
 	"github.com/dexidp/dex/storage"
+	"github.com/dexidp/dex/storage/sql"
 	jose "github.com/go-jose/go-jose/v4"
 	"github.com/google/uuid"
 	"github.com/prometheus/client_golang/prometheus"
@@ -78,7 +79,7 @@ func NewProvider(ctx context.Context, config *Config) (*Provider, error) {
 
 	// Initialize SQLite storage
 	dbPath := filepath.Join(config.DataDir, "oidc.db")
-	sqliteConfig := newSQLite3(dbPath)
+	sqliteConfig := &sql.SQLite3{File: dbPath}
 	stor, err := sqliteConfig.Open(logger)
 	if err != nil {
 		return nil, fmt.Errorf("failed to open storage: %w", err)

idp/dex/sqlite_cgo.go

@@ -1,15 +0,0 @@
-//go:build cgo
-
-package dex
-
-import (
-	sql "github.com/dexidp/dex/storage/sql"
-)
-
-// newSQLite3 builds the dex SQLite3 config. CGO builds use the upstream
-// struct that takes a File path. Non-CGO builds get an empty stub whose
-// Open() returns the dex "SQLite not available" error — correct behaviour
-// for binaries that can't link sqlite3 (e.g. cross-compiled ARM targets).
-func newSQLite3(file string) *sql.SQLite3 {
-	return &sql.SQLite3{File: file}
-}

idp/dex/sqlite_nocgo.go

@@ -1,15 +0,0 @@
-//go:build !cgo
-
-package dex
-
-import (
-	sql "github.com/dexidp/dex/storage/sql"
-)
-
-// newSQLite3 for non-CGO builds. The dex SQLite3 stub has no fields and its
-// Open() returns an error documenting the missing CGO support — correct
-// behaviour for cross-compiled artefacts that never actually run the
-// embedded IdP. The `file` argument is ignored.
-func newSQLite3(_ string) *sql.SQLite3 {
-	return &sql.SQLite3{}
-}

management/Dockerfile

@@ -2,4 +2,5 @@ FROM ubuntu:24.04
 RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
 ENTRYPOINT [ "/go/bin/netbird-mgmt","management"]
 CMD ["--log-file", "console"]
-COPY netbird-mgmt /go/bin/netbird-mgmt
+ARG TARGETPLATFORM
+COPY ${TARGETPLATFORM}/netbird-mgmt /go/bin/netbird-mgmt

management/Dockerfile.debug

@@ -1,5 +0,0 @@
-FROM ubuntu:24.04
-RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
-ENTRYPOINT [ "/go/bin/netbird-mgmt","management","--log-level","debug"]
-CMD ["--log-file", "console"]
-COPY netbird-mgmt /go/bin/netbird-mgmt

management/internals/controllers/network_map/controller/controller.go

@@ -56,12 +56,6 @@ type Controller struct {
 	proxyController port_forwarding.Controller
 
 	integratedPeerValidator integrated_validator.IntegratedValidator
-
-	// componentsDisabled, when true, forces the controller to emit legacy
-	// proto.NetworkMap to every peer regardless of capability. Set once at
-	// construction and never written after — readers race-free without a
-	// mutex.
-	componentsDisabled bool
 }
 
 type bufferUpdate struct {
@@ -95,27 +89,12 @@ func NewController(ctx context.Context, store store.Store, metrics telemetry.App
 		settingsManager:         settingsManager,
 		dnsDomain:               dnsDomain,
 		config:                  config,
-		componentsDisabled:      parseBoolEnv("NB_NETWORK_MAP_COMPONENTS_DISABLE"),
 
 		proxyController:       proxyController,
 		EphemeralPeersManager: ephemeralPeersManager,
 	}
 }
 
-// PeerNeedsComponents reports whether the gRPC layer should emit the
-// component-based wire format for this peer.
-func (c *Controller) PeerNeedsComponents(p *nbpeer.Peer) bool {
-	return p != nil && p.SupportsComponentNetworkMap() && !c.componentsDisabled
-}
-
-// parseBoolEnv reads an env var via strconv.ParseBool so callers accept the
-// usual "1/t/T/TRUE/true/True" set instead of being strict about a single
-// literal.
-func parseBoolEnv(key string) bool {
-	v, _ := strconv.ParseBool(os.Getenv(key))
-	return v
-}
-
 func (c *Controller) OnPeerConnected(ctx context.Context, accountID string, peerID string) (chan *network_map.UpdateMessage, error) {
 	peer, err := c.repo.GetPeerByID(ctx, accountID, peerID)
 	if err != nil {
@@ -225,26 +204,18 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 			c.metrics.CountCalcPostureChecksDuration(time.Since(start))
 			start = time.Now()
 
-			result := account.GetPeerNetworkMapResult(ctx, p.ID, c.componentsDisabled, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
+			remotePeerNetworkMap := account.GetPeerNetworkMapFromComponents(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
 
 			c.metrics.CountCalcPeerNetworkMapDuration(time.Since(start))
 
-			proxyNetworkMap := proxyNetworkMaps[p.ID]
-			if result.NetworkMap != nil && proxyNetworkMap != nil {
-				result.NetworkMap.Merge(proxyNetworkMap)
+			proxyNetworkMap, ok := proxyNetworkMaps[p.ID]
+			if ok {
+				remotePeerNetworkMap.Merge(proxyNetworkMap)
 			}
 
 			peerGroups := account.GetPeerGroups(p.ID)
 			start = time.Now()
-			var update *proto.SyncResponse
-			if result.IsComponents() {
-				// proxyNetworkMap rides the envelope as a ProxyPatch sidecar;
-				// the client merges it into Calculate()'s output the same
-				// way the legacy server did via NetworkMap.Merge.
-				update = grpc.ToComponentSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, p, nil, nil, result.Components, proxyNetworkMap, dnsDomain, postureChecks, account.Settings, extraSetting, maps.Keys(peerGroups), dnsFwdPort)
-			} else {
-				update = grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, p, nil, nil, result.NetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting, maps.Keys(peerGroups), dnsFwdPort)
-			}
+			update := grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting, maps.Keys(peerGroups), dnsFwdPort)
 			c.metrics.CountToSyncResponseDuration(time.Since(start))
 
 			c.peersUpdateManager.SendUpdate(ctx, p.ID, &network_map.UpdateMessage{
@@ -454,11 +425,11 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 		return err
 	}
 
-	result := account.GetPeerNetworkMapResult(ctx, peerId, c.componentsDisabled, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
+	remotePeerNetworkMap := account.GetPeerNetworkMapFromComponents(ctx, peerId, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs)
 
-	proxyNetworkMap := proxyNetworkMaps[peer.ID]
-	if result.NetworkMap != nil && proxyNetworkMap != nil {
-		result.NetworkMap.Merge(proxyNetworkMap)
+	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
+	if ok {
+		remotePeerNetworkMap.Merge(proxyNetworkMap)
 	}
 
 	extraSettings, err := c.settingsManager.GetExtraSettings(ctx, peer.AccountID)
@@ -469,12 +440,7 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 	peerGroups := account.GetPeerGroups(peerId)
 	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), network_map.DnsForwarderPortMinVersion)
 
-	var update *proto.SyncResponse
-	if result.IsComponents() {
-		update = grpc.ToComponentSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, peer, nil, nil, result.Components, proxyNetworkMap, dnsDomain, postureChecks, account.Settings, extraSettings, maps.Keys(peerGroups), dnsFwdPort)
-	} else {
-		update = grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, peer, nil, nil, result.NetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSettings, maps.Keys(peerGroups), dnsFwdPort)
-	}
+	update := grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, peer, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSettings, maps.Keys(peerGroups), dnsFwdPort)
 	c.peersUpdateManager.SendUpdate(ctx, peer.ID, &network_map.UpdateMessage{
 		Update:      update,
 		MessageType: network_map.MessageTypeNetworkMap,
@@ -521,66 +487,6 @@ func (c *Controller) BufferUpdateAccountPeers(ctx context.Context, accountID str
 	return nil
 }
 
-// GetValidatedPeerWithComponents is the components-format counterpart of
-// GetValidatedPeerWithMap. It returns raw NetworkMapComponents for capable
-// peers along with the proxy NetworkMap fragment (BYOP / port-forwarding
-// data the legacy server folds in via NetworkMap.Merge). The gRPC layer
-// encodes both into the wire envelope. Callers must gate on capability
-// themselves before dispatching here — this method does NOT branch on it.
-func (c *Controller) GetValidatedPeerWithComponents(ctx context.Context, isRequiresApproval bool, accountID string, peer *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMapComponents, *types.NetworkMap, []*posture.Checks, int64, error) {
-	if isRequiresApproval {
-		network, err := c.repo.GetAccountNetwork(ctx, accountID)
-		if err != nil {
-			return nil, nil, nil, nil, 0, err
-		}
-		return peer, &types.NetworkMapComponents{Network: network.Copy()}, nil, nil, 0, nil
-	}
-
-	account, err := c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
-	if err != nil {
-		return nil, nil, nil, nil, 0, err
-	}
-
-	account.InjectProxyPolicies(ctx)
-
-	approvedPeersMap, err := c.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
-	if err != nil {
-		return nil, nil, nil, nil, 0, err
-	}
-
-	postureChecks, err := c.getPeerPostureChecks(account, peer.ID)
-	if err != nil {
-		return nil, nil, nil, nil, 0, err
-	}
-
-	accountZones, err := c.repo.GetAccountZones(ctx, account.Id)
-	if err != nil {
-		return nil, nil, nil, nil, 0, err
-	}
-
-	// Fetch the proxy network map fragment for this peer alongside the
-	// components — same single-account-load path the streaming controller
-	// uses, so initial-sync delivers BYOP/forwarding patches synchronously
-	// instead of waiting for the next streaming push.
-	proxyNetworkMaps, err := c.proxyController.GetProxyNetworkMaps(ctx, account.Id, peer.ID, account.Peers)
-	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get proxy network maps: %v", err)
-		return nil, nil, nil, nil, 0, err
-	}
-
-	dnsDomain := c.GetDNSDomain(account.Settings)
-	peersCustomZone := account.GetPeersCustomZone(ctx, dnsDomain)
-
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-	components := account.GetPeerNetworkMapComponents(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, groupIDToUserIDs)
-
-	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), network_map.DnsForwarderPortMinVersion)
-
-	return peer, components, proxyNetworkMaps[peer.ID], postureChecks, dnsFwdPort, nil
-}
-
 // BufferUpdateAffectedPeers accumulates peer IDs and flushes them after the buffer interval.
 func (c *Controller) BufferUpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string, reason types.UpdateReason) error {
 	if len(peerIDs) == 0 {

management/internals/controllers/network_map/interface.go

@@ -24,10 +24,6 @@ type Controller interface {
 	UpdateAccountPeer(ctx context.Context, accountId string, peerId string) error
 	BufferUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) error
 	GetValidatedPeerWithMap(ctx context.Context, isRequiresApproval bool, accountID string, peerID string) (*types.NetworkMap, []*posture.Checks, int64, error)
-	GetValidatedPeerWithComponents(ctx context.Context, isRequiresApproval bool, accountID string, p *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMapComponents, *types.NetworkMap, []*posture.Checks, int64, error)
-	// PeerNeedsComponents combines the peer's advertised capability with the
-	// kill-switch flag — the only public predicate gRPC layers should ask.
-	PeerNeedsComponents(p *nbpeer.Peer) bool
 	GetDNSDomain(settings *types.Settings) string
 	StartWarmup(context.Context)
 	GetNetworkMap(ctx context.Context, peerID string) (*types.NetworkMap, error)

management/internals/controllers/network_map/interface_mock.go

@@ -143,39 +143,6 @@ func (mr *MockControllerMockRecorder) GetValidatedPeerWithMap(ctx, isRequiresApp
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetValidatedPeerWithMap", reflect.TypeOf((*MockController)(nil).GetValidatedPeerWithMap), ctx, isRequiresApproval, accountID, peerID)
 }
 
-// GetValidatedPeerWithComponents mocks base method.
-func (m *MockController) GetValidatedPeerWithComponents(ctx context.Context, isRequiresApproval bool, accountID string, p *peer.Peer) (*peer.Peer, *types.NetworkMapComponents, *types.NetworkMap, []*posture.Checks, int64, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetValidatedPeerWithComponents", ctx, isRequiresApproval, accountID, p)
-	ret0, _ := ret[0].(*peer.Peer)
-	ret1, _ := ret[1].(*types.NetworkMapComponents)
-	ret2, _ := ret[2].(*types.NetworkMap)
-	ret3, _ := ret[3].([]*posture.Checks)
-	ret4, _ := ret[4].(int64)
-	ret5, _ := ret[5].(error)
-	return ret0, ret1, ret2, ret3, ret4, ret5
-}
-
-// GetValidatedPeerWithComponents indicates an expected call of GetValidatedPeerWithComponents.
-func (mr *MockControllerMockRecorder) GetValidatedPeerWithComponents(ctx, isRequiresApproval, accountID, p any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetValidatedPeerWithComponents", reflect.TypeOf((*MockController)(nil).GetValidatedPeerWithComponents), ctx, isRequiresApproval, accountID, p)
-}
-
-// PeerNeedsComponents mocks base method.
-func (m *MockController) PeerNeedsComponents(p *peer.Peer) bool {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "PeerNeedsComponents", p)
-	ret0, _ := ret[0].(bool)
-	return ret0
-}
-
-// PeerNeedsComponents indicates an expected call of PeerNeedsComponents.
-func (mr *MockControllerMockRecorder) PeerNeedsComponents(p any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PeerNeedsComponents", reflect.TypeOf((*MockController)(nil).PeerNeedsComponents), p)
-}
-
 // OnPeerConnected mocks base method.
 func (m *MockController) OnPeerConnected(ctx context.Context, accountID, peerID string) (chan *UpdateMessage, error) {
 	m.ctrl.T.Helper()

management/internals/shared/grpc/components_encoder.go

@@ -1,813 +0,0 @@
-package grpc
-
-import (
-	"encoding/base64"
-	"strconv"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
-	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/types"
-	nbroute "github.com/netbirdio/netbird/route"
-	"github.com/netbirdio/netbird/shared/management/networkmap"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// wgKeyRawLen is the raw byte length of a WireGuard public key.
-const wgKeyRawLen = 32
-
-// ComponentsEnvelopeInput bundles the data the component-format encoder needs.
-// The envelope is fully self-contained — every field needed by the client's
-// local Calculate() comes from the components struct itself. The only
-// externally-supplied data is the receiving peer's PeerConfig (which is
-// computed alongside the components in the network_map controller and reused
-// from the legacy proto path) and the dns_domain string.
-type ComponentsEnvelopeInput struct {
-	Components       *types.NetworkMapComponents
-	PeerConfig       *proto.PeerConfig
-	DNSDomain        string
-	DNSForwarderPort int64
-	// UserIDClaim is the OIDC claim name the client should embed in
-	// SshAuth.UserIDClaim when reconstructing the NetworkMap. Empty value
-	// is OK — client treats empty as "no SshAuth to build".
-	UserIDClaim string
-	// ProxyPatch carries pre-expanded NetworkMap fragments injected by
-	// external controllers (BYOP/port-forwarding). Nil when no proxy data
-	// is present; encoder skips the field in that case.
-	ProxyPatch *proto.ProxyPatch
-}
-
-// EncodeNetworkMapEnvelope converts NetworkMapComponents into the component
-// wire envelope. The encoder is intentionally non-deterministic: it iterates
-// Go maps in their native (random) order. Indexes inside the envelope
-// (peer_indexes, source_group_ids, agent_version_idx, router_peer_indexes)
-// are self-consistent within a single encode, so the decoder reconstructs
-// the same typed objects regardless of emit order. Tests that need to
-// compare envelopes do so semantically via proto round-trip + canonicalize,
-// not byte-equal.
-//
-// Callers must NOT concatenate or merge envelopes from different encodes —
-// index spaces are local to a single envelope.
-func EncodeNetworkMapEnvelope(in ComponentsEnvelopeInput) *proto.NetworkMapEnvelope {
-	c := in.Components
-
-	// Graceful degrade when components is nil — matches the legacy path's
-	// behaviour for missing/unvalidated peers (return a NetworkMap with only
-	// Network populated). The receiver gets an envelope it can decode
-	// without crashing; AccountSettings stays non-nil so client-side
-	// dereferences are safe.
-	if c == nil {
-		// Match legacy missing-peer minimum: a NetworkMap with only Network
-		// populated. The receiver gets enough to bootstrap (Network
-		// identifier, dns_domain, account_settings) and nothing else.
-		return &proto.NetworkMapEnvelope{
-			Payload: &proto.NetworkMapEnvelope_Full{
-				Full: &proto.NetworkMapComponentsFull{
-					PeerConfig:       in.PeerConfig,
-					DnsDomain:        in.DNSDomain,
-					DnsForwarderPort: in.DNSForwarderPort,
-					UserIdClaim:      in.UserIDClaim,
-					AccountSettings:  &proto.AccountSettingsCompact{},
-					ProxyPatch:       in.ProxyPatch,
-				},
-			},
-		}
-	}
-
-	// Phase 1: build dedup tables. Every routing peer (in c.RouterPeers) and
-	// every regular peer (in c.Peers) must be indexed before any encoder
-	// looks up indexes via e.peerOrder — otherwise routes / routers_map for
-	// peers that exist only in c.RouterPeers would silently lose their
-	// peer_index reference.
-	enc := newComponentEncoder(c)
-	enc.indexAllPeers()
-	routerIdxs := enc.indexRouterPeers(c.RouterPeers)
-
-	// Phase 2: gather every policy that any consumer references (peer-pair
-	// policies + resource-only policies) so encodeResourcePoliciesMap can
-	// translate every *Policy pointer to a wire index.
-	allPolicies := unionPolicies(c.Policies, c.ResourcePoliciesMap)
-	policies, policyToIdxs := enc.encodePolicies(allPolicies)
-
-	// Phase 3: emit. Order of struct field expressions no longer matters:
-	// every encoder either reads from the dedup tables or works on
-	// independent input.
-	full := &proto.NetworkMapComponentsFull{
-		Serial:              networkSerial(c.Network),
-		PeerConfig:          in.PeerConfig,
-		Network:             toAccountNetwork(c.Network),
-		AccountSettings:     toAccountSettingsCompact(c.AccountSettings),
-		DnsForwarderPort:    in.DNSForwarderPort,
-		UserIdClaim:         in.UserIDClaim,
-		ProxyPatch:          in.ProxyPatch,
-		DnsSettings:         enc.encodeDNSSettings(c.DNSSettings),
-		DnsDomain:           in.DNSDomain,
-		CustomZoneDomain:    c.CustomZoneDomain,
-		AgentVersions:       enc.agentVersions,
-		Peers:               enc.peers,
-		RouterPeerIndexes:   routerIdxs,
-		Policies:            policies,
-		Groups:              enc.encodeGroups(),
-		Routes:              enc.encodeRoutes(c.Routes),
-		NameserverGroups:    enc.encodeNameServerGroups(c.NameServerGroups),
-		AllDnsRecords:       encodeSimpleRecords(c.AllDNSRecords),
-		AccountZones:        encodeCustomZones(c.AccountZones),
-		NetworkResources:    enc.encodeNetworkResources(c.NetworkResources),
-		RoutersMap:          enc.encodeRoutersMap(c.RoutersMap),
-		ResourcePoliciesMap: enc.encodeResourcePoliciesMap(c.ResourcePoliciesMap, policyToIdxs),
-		GroupIdToUserIds:    enc.encodeGroupIDToUserIDs(c.GroupIDToUserIDs),
-		AllowedUserIds:      stringSetToSlice(c.AllowedUserIDs),
-		PostureFailedPeers:  enc.encodePostureFailedPeers(c.PostureFailedPeers),
-	}
-
-	return &proto.NetworkMapEnvelope{
-		Payload: &proto.NetworkMapEnvelope_Full{Full: full},
-	}
-}
-
-// networkSerial returns c.Network.CurrentSerial() with a nil guard. The
-// production path always populates c.Network, but the encoder is exported
-// and a hand-built components struct may omit it.
-func networkSerial(n *types.Network) uint64 {
-	if n == nil {
-		return 0
-	}
-	return n.CurrentSerial()
-}
-
-type componentEncoder struct {
-	components *types.NetworkMapComponents
-
-	peerOrder map[string]uint32
-	peers     []*proto.PeerCompact
-
-	agentVersionOrder map[string]uint32
-	agentVersions     []string
-}
-
-func newComponentEncoder(c *types.NetworkMapComponents) *componentEncoder {
-	return &componentEncoder{
-		components:        c,
-		peerOrder:         make(map[string]uint32, len(c.Peers)),
-		peers:             make([]*proto.PeerCompact, 0, len(c.Peers)),
-		agentVersionOrder: make(map[string]uint32),
-	}
-}
-
-func (e *componentEncoder) indexAllPeers() {
-	for _, p := range e.components.Peers {
-		if p == nil {
-			continue
-		}
-		e.appendPeer(p)
-	}
-}
-
-func (e *componentEncoder) appendPeer(p *nbpeer.Peer) uint32 {
-	if idx, ok := e.peerOrder[p.ID]; ok {
-		return idx
-	}
-	idx := uint32(len(e.peers))
-	e.peerOrder[p.ID] = idx
-	e.peers = append(e.peers, toPeerCompact(p, e.agentVersionIndex(p.Meta.WtVersion)))
-	return idx
-}
-
-func (e *componentEncoder) agentVersionIndex(v string) uint32 {
-	if idx, ok := e.agentVersionOrder[v]; ok {
-		return idx
-	}
-	// Lazy-initialise the table with "" at index 0 so the empty string
-	// stays interchangeable with proto3's default uint32=0 — peers without
-	// a WtVersion don't force the table to materialise.
-	if v == "" {
-		idx := uint32(len(e.agentVersions))
-		if idx == 0 {
-			e.agentVersions = append(e.agentVersions, "")
-		}
-		e.agentVersionOrder[""] = idx
-		return idx
-	}
-	if len(e.agentVersions) == 0 {
-		e.agentVersions = append(e.agentVersions, "")
-		e.agentVersionOrder[""] = 0
-	}
-	idx := uint32(len(e.agentVersions))
-	e.agentVersionOrder[v] = idx
-	e.agentVersions = append(e.agentVersions, v)
-	return idx
-}
-
-// indexRouterPeers ensures every router peer is in the peer dedup table
-// (c.RouterPeers may contain peers not in c.Peers when validation rules drop
-// them) and returns their wire indexes for the RouterPeerIndexes field. Must
-// run before any encoder that resolves peer ids via e.peerOrder.
-func (e *componentEncoder) indexRouterPeers(routers map[string]*nbpeer.Peer) []uint32 {
-	if len(routers) == 0 {
-		return nil
-	}
-	out := make([]uint32, 0, len(routers))
-	for _, p := range routers {
-		if p == nil {
-			continue
-		}
-		out = append(out, e.appendPeer(p))
-	}
-	return out
-}
-
-func (e *componentEncoder) encodeGroups() []*proto.GroupCompact {
-	if len(e.components.Groups) == 0 {
-		return nil
-	}
-
-	out := make([]*proto.GroupCompact, 0, len(e.components.Groups))
-	for _, g := range e.components.Groups {
-		if !g.HasSeqID() {
-			continue
-		}
-		peerIdxs := make([]uint32, 0, len(g.Peers))
-		for _, peerID := range g.Peers {
-			if idx, ok := e.peerOrder[peerID]; ok {
-				peerIdxs = append(peerIdxs, idx)
-			}
-		}
-		out = append(out, &proto.GroupCompact{
-			Id:          g.AccountSeqID,
-			Name:        g.Name,
-			PeerIndexes: peerIdxs,
-		})
-	}
-	return out
-}
-
-// encodePolicies flattens Policy{Rules} → []PolicyCompact. Returns the wire
-// list and a map from policy pointer to the indexes of its emitted rules in
-// that list — used by encodeResourcePoliciesMap to translate
-// ResourcePoliciesMap[resourceID][]*Policy into wire-side indexes.
-func (e *componentEncoder) encodePolicies(policies []*types.Policy) ([]*proto.PolicyCompact, map[*types.Policy][]uint32) {
-	if len(policies) == 0 {
-		return nil, nil
-	}
-
-	out := make([]*proto.PolicyCompact, 0, len(policies))
-	idxByPolicy := make(map[*types.Policy][]uint32, len(policies))
-
-	for _, pol := range policies {
-		if !pol.HasSeqID() || !pol.Enabled {
-			continue
-		}
-		for _, r := range pol.Rules {
-			if r == nil || !r.Enabled {
-				continue
-			}
-			idxByPolicy[pol] = append(idxByPolicy[pol], uint32(len(out)))
-			out = append(out, e.encodePolicyRule(pol, r))
-		}
-	}
-	return out, idxByPolicy
-}
-
-// encodePolicyRule maps a single PolicyRule under pol to a PolicyCompact entry.
-func (e *componentEncoder) encodePolicyRule(pol *types.Policy, r *types.PolicyRule) *proto.PolicyCompact {
-	return &proto.PolicyCompact{
-		Id:                       pol.AccountSeqID,
-		Action:                   networkmap.GetProtoAction(string(r.Action)),
-		Protocol:                 networkmap.GetProtoProtocol(string(r.Protocol)),
-		Bidirectional:            r.Bidirectional,
-		Ports:                    portsToUint32(r.Ports),
-		PortRanges:               portRangesToProto(r.PortRanges),
-		SourceGroupIds:           e.groupSeqIDs(r.Sources),
-		DestinationGroupIds:      e.groupSeqIDs(r.Destinations),
-		AuthorizedUser:           r.AuthorizedUser,
-		AuthorizedGroups:         e.encodeAuthorizedGroups(r.AuthorizedGroups),
-		SourceResource:           e.resourceToProto(r.SourceResource),
-		DestinationResource:      e.resourceToProto(r.DestinationResource),
-		SourcePostureCheckSeqIds: e.postureCheckSeqs(pol.SourcePostureChecks),
-	}
-}
-
-// groupSeqIDs maps the xid group IDs in src to their per-account seq ids,
-// dropping any group that has no seq id assigned.
-func (e *componentEncoder) groupSeqIDs(src []string) []uint32 {
-	if len(src) == 0 {
-		return nil
-	}
-	out := make([]uint32, 0, len(src))
-	for _, gid := range src {
-		if seq, ok := e.groupSeq(gid); ok {
-			out = append(out, seq)
-		}
-	}
-	return out
-}
-
-// unionPolicies merges c.Policies with every policy referenced by
-// c.ResourcePoliciesMap, deduplicating by pointer identity. Resource-only
-// policies (relevant to a NetworkResource but not to peer-pair traffic)
-// only live in ResourcePoliciesMap; without this union step they'd be lost
-// from the wire and the client's resource-policy lookup would come back
-// empty.
-func unionPolicies(policies []*types.Policy, resourcePolicies map[string][]*types.Policy) []*types.Policy {
-	// Fast path: non-router peers have no resource-only policies, so the
-	// "union" is identical to `policies`. Skip the dedup map allocation.
-	if len(resourcePolicies) == 0 {
-		return policies
-	}
-	seen := make(map[*types.Policy]struct{}, len(policies))
-	out := make([]*types.Policy, 0, len(policies))
-	for _, p := range policies {
-		if p == nil {
-			continue
-		}
-		if _, ok := seen[p]; ok {
-			continue
-		}
-		seen[p] = struct{}{}
-		out = append(out, p)
-	}
-	for _, list := range resourcePolicies {
-		for _, p := range list {
-			if p == nil {
-				continue
-			}
-			if _, ok := seen[p]; ok {
-				continue
-			}
-			seen[p] = struct{}{}
-			out = append(out, p)
-		}
-	}
-	return out
-}
-
-// encodeAuthorizedGroups translates rule.AuthorizedGroups (map keyed by
-// group xid → local-user names) to the wire form (map keyed by group
-// account_seq_id → UserNameList). Groups without a seq id are dropped —
-// matches how source/destination group references handle the same case.
-func (e *componentEncoder) encodeAuthorizedGroups(m map[string][]string) map[uint32]*proto.UserNameList {
-	if len(m) == 0 {
-		return nil
-	}
-	out := make(map[uint32]*proto.UserNameList, len(m))
-	for groupID, names := range m {
-		seq, ok := e.groupSeq(groupID)
-		if !ok {
-			continue
-		}
-		out[seq] = &proto.UserNameList{Names: append([]string(nil), names...)}
-	}
-	return out
-}
-
-func (e *componentEncoder) groupSeq(groupID string) (uint32, bool) {
-	g, ok := e.components.Groups[groupID]
-	if !ok || !g.HasSeqID() {
-		return 0, false
-	}
-	return g.AccountSeqID, true
-}
-
-// resourceToProto translates types.Resource for the wire. For peer-typed
-// resources the peer id is converted to a peer index into the envelope's
-// peers array. For other resource types only the type string is shipped
-// today (Calculate's resource-typed rule path consults SourceResource only
-// for "peer" — other types fall through to group-based lookup).
-func (e *componentEncoder) resourceToProto(r types.Resource) *proto.ResourceCompact {
-	if r.ID == "" && r.Type == "" {
-		return nil
-	}
-	out := &proto.ResourceCompact{Type: string(r.Type)}
-	if r.Type == types.ResourceTypePeer && r.ID != "" {
-		if idx, ok := e.peerOrder[r.ID]; ok {
-			out.PeerIndexSet = true
-			out.PeerIndex = idx
-		}
-	}
-	return out
-}
-
-// postureCheckSeqs translates a slice of posture-check xids to their
-// per-account integer ids using the NetworkMapComponents.PostureCheckXIDToSeq
-// lookup. Unresolvable xids are silently dropped — matches how group/peer
-// references handle the same case.
-func (e *componentEncoder) postureCheckSeqs(xids []string) []uint32 {
-	if len(xids) == 0 || len(e.components.PostureCheckXIDToSeq) == 0 {
-		return nil
-	}
-	out := make([]uint32, 0, len(xids))
-	for _, xid := range xids {
-		if seq, ok := e.components.PostureCheckXIDToSeq[xid]; ok {
-			out = append(out, seq)
-		}
-	}
-	return out
-}
-
-// networkSeq translates a Network xid to its per-account integer id using
-// the NetworkMapComponents.NetworkXIDToSeq lookup. Returns (0,false) when
-// the xid isn't known — callers decide whether to skip the parent record.
-func (e *componentEncoder) networkSeq(xid string) (uint32, bool) {
-	if xid == "" {
-		return 0, false
-	}
-	seq, ok := e.components.NetworkXIDToSeq[xid]
-	if !ok || seq == 0 {
-		return 0, false
-	}
-	return seq, true
-}
-
-func (e *componentEncoder) encodeDNSSettings(s *types.DNSSettings) *proto.DNSSettingsCompact {
-	if s == nil || len(s.DisabledManagementGroups) == 0 {
-		return nil
-	}
-	out := &proto.DNSSettingsCompact{
-		DisabledManagementGroupIds: make([]uint32, 0, len(s.DisabledManagementGroups)),
-	}
-	for _, gid := range s.DisabledManagementGroups {
-		if seq, ok := e.groupSeq(gid); ok {
-			out.DisabledManagementGroupIds = append(out.DisabledManagementGroupIds, seq)
-		}
-	}
-	return out
-}
-
-func (e *componentEncoder) encodeRoutes(routes []*nbroute.Route) []*proto.RouteRaw {
-	if len(routes) == 0 {
-		return nil
-	}
-	out := make([]*proto.RouteRaw, 0, len(routes))
-	for _, r := range routes {
-		if r == nil {
-			continue
-		}
-		rr := &proto.RouteRaw{
-			Id:                    r.AccountSeqID,
-			NetId:                 string(r.NetID),
-			Description:           r.Description,
-			KeepRoute:             r.KeepRoute,
-			NetworkType:           int32(r.NetworkType),
-			Masquerade:            r.Masquerade,
-			Metric:                int32(r.Metric),
-			Enabled:               r.Enabled,
-			SkipAutoApply:         r.SkipAutoApply,
-			Domains:               r.Domains.ToPunycodeList(),
-			GroupIds:              e.groupIDsToSeq(r.Groups),
-			AccessControlGroupIds: e.groupIDsToSeq(r.AccessControlGroups),
-			PeerGroupIds:          e.groupIDsToSeq(r.PeerGroups),
-		}
-		if r.Network.IsValid() {
-			rr.NetworkCidr = r.Network.String()
-		}
-		if r.Peer != "" {
-			if idx, ok := e.peerOrder[r.Peer]; ok {
-				rr.PeerIndexSet = true
-				rr.PeerIndex = idx
-			}
-		}
-		out = append(out, rr)
-	}
-	return out
-}
-
-func (e *componentEncoder) groupIDsToSeq(groupIDs []string) []uint32 {
-	if len(groupIDs) == 0 {
-		return nil
-	}
-	out := make([]uint32, 0, len(groupIDs))
-	for _, gid := range groupIDs {
-		if seq, ok := e.groupSeq(gid); ok {
-			out = append(out, seq)
-		}
-	}
-	return out
-}
-
-func (e *componentEncoder) encodeNameServerGroups(nsgs []*nbdns.NameServerGroup) []*proto.NameServerGroupRaw {
-	if len(nsgs) == 0 {
-		return nil
-	}
-	out := make([]*proto.NameServerGroupRaw, 0, len(nsgs))
-	for _, nsg := range nsgs {
-		if nsg == nil {
-			continue
-		}
-		entry := &proto.NameServerGroupRaw{
-			Id:                   nsg.AccountSeqID,
-			Name:                 nsg.Name,
-			Description:          nsg.Description,
-			Nameservers:          encodeNameServers(nsg.NameServers),
-			GroupIds:             e.groupIDsToSeq(nsg.Groups),
-			Primary:              nsg.Primary,
-			Domains:              nsg.Domains,
-			Enabled:              nsg.Enabled,
-			SearchDomainsEnabled: nsg.SearchDomainsEnabled,
-		}
-		out = append(out, entry)
-	}
-	return out
-}
-
-func encodeNameServers(servers []nbdns.NameServer) []*proto.NameServer {
-	if len(servers) == 0 {
-		return nil
-	}
-	out := make([]*proto.NameServer, 0, len(servers))
-	for _, s := range servers {
-		out = append(out, &proto.NameServer{
-			IP:     s.IP.String(),
-			NSType: int64(s.NSType),
-			Port:   int64(s.Port),
-		})
-	}
-	return out
-}
-
-func encodeSimpleRecords(records []nbdns.SimpleRecord) []*proto.SimpleRecord {
-	if len(records) == 0 {
-		return nil
-	}
-	out := make([]*proto.SimpleRecord, 0, len(records))
-	for _, r := range records {
-		out = append(out, &proto.SimpleRecord{
-			Name:  r.Name,
-			Type:  int64(r.Type),
-			Class: r.Class,
-			TTL:   int64(r.TTL),
-			RData: r.RData,
-		})
-	}
-	return out
-}
-
-func encodeCustomZones(zones []nbdns.CustomZone) []*proto.CustomZone {
-	if len(zones) == 0 {
-		return nil
-	}
-	out := make([]*proto.CustomZone, 0, len(zones))
-	for _, z := range zones {
-		out = append(out, &proto.CustomZone{
-			Domain:               z.Domain,
-			Records:              encodeSimpleRecords(z.Records),
-			SearchDomainDisabled: z.SearchDomainDisabled,
-			NonAuthoritative:     z.NonAuthoritative,
-		})
-	}
-	return out
-}
-
-func (e *componentEncoder) encodeNetworkResources(resources []*resourceTypes.NetworkResource) []*proto.NetworkResourceRaw {
-	if len(resources) == 0 {
-		return nil
-	}
-	out := make([]*proto.NetworkResourceRaw, 0, len(resources))
-	for _, r := range resources {
-		if r == nil {
-			continue
-		}
-		entry := &proto.NetworkResourceRaw{
-			Id:          r.AccountSeqID,
-			Name:        r.Name,
-			Description: r.Description,
-			Type:        string(r.Type),
-			Address:     r.Address,
-			DomainValue: r.Domain,
-			Enabled:     r.Enabled,
-		}
-		if seq, ok := e.networkSeq(r.NetworkID); ok {
-			entry.NetworkSeq = seq
-		}
-		if r.Prefix.IsValid() {
-			entry.PrefixCidr = r.Prefix.String()
-		}
-		out = append(out, entry)
-	}
-	return out
-}
-
-func (e *componentEncoder) encodeRoutersMap(routersMap map[string]map[string]*routerTypes.NetworkRouter) map[uint32]*proto.NetworkRouterList {
-	if len(routersMap) == 0 {
-		return nil
-	}
-	out := make(map[uint32]*proto.NetworkRouterList, len(routersMap))
-	for networkXID, routers := range routersMap {
-		if len(routers) == 0 {
-			continue
-		}
-		netSeq, ok := e.networkSeq(networkXID)
-		if !ok {
-			continue
-		}
-		entries := make([]*proto.NetworkRouterEntry, 0, len(routers))
-		for peerID, r := range routers {
-			if r == nil {
-				continue
-			}
-			entry := &proto.NetworkRouterEntry{
-				Id:           r.AccountSeqID,
-				PeerGroupIds: e.groupIDsToSeq(r.PeerGroups),
-				Masquerade:   r.Masquerade,
-				Metric:       int32(r.Metric),
-				Enabled:      r.Enabled,
-			}
-			if idx, ok := e.peerOrder[peerID]; ok {
-				entry.PeerIndexSet = true
-				entry.PeerIndex = idx
-			}
-			entries = append(entries, entry)
-		}
-		out[netSeq] = &proto.NetworkRouterList{Entries: entries}
-	}
-	return out
-}
-
-func (e *componentEncoder) encodeResourcePoliciesMap(rpm map[string][]*types.Policy, policyToIdxs map[*types.Policy][]uint32) map[uint32]*proto.PolicyIndexes {
-	if len(rpm) == 0 {
-		return nil
-	}
-	// resourceXIDToSeq is local to one encode — built from components.NetworkResources
-	// (small slice). Network resources without seq id are dropped, matching how
-	// other components-without-seq are silently filtered.
-	resourceXIDToSeq := make(map[string]uint32, len(e.components.NetworkResources))
-	for _, r := range e.components.NetworkResources {
-		if r != nil && r.AccountSeqID != 0 {
-			resourceXIDToSeq[r.ID] = r.AccountSeqID
-		}
-	}
-	out := make(map[uint32]*proto.PolicyIndexes, len(rpm))
-	for resourceXID, policies := range rpm {
-		seq, ok := resourceXIDToSeq[resourceXID]
-		if !ok {
-			continue
-		}
-		idxs := make([]uint32, 0, len(policies)*2)
-		for _, pol := range policies {
-			idxs = append(idxs, policyToIdxs[pol]...)
-		}
-		if len(idxs) == 0 {
-			continue
-		}
-		out[seq] = &proto.PolicyIndexes{Indexes: idxs}
-	}
-	return out
-}
-
-func (e *componentEncoder) encodeGroupIDToUserIDs(m map[string][]string) map[uint32]*proto.UserIDList {
-	if len(m) == 0 {
-		return nil
-	}
-	out := make(map[uint32]*proto.UserIDList, len(m))
-	for groupID, userIDs := range m {
-		seq, ok := e.groupSeq(groupID)
-		if !ok || len(userIDs) == 0 {
-			continue
-		}
-		out[seq] = &proto.UserIDList{UserIds: userIDs}
-	}
-	return out
-}
-
-func stringSetToSlice(s map[string]struct{}) []string {
-	if len(s) == 0 {
-		return nil
-	}
-	out := make([]string, 0, len(s))
-	for k := range s {
-		out = append(out, k)
-	}
-	return out
-}
-
-func (e *componentEncoder) encodePostureFailedPeers(m map[string]map[string]struct{}) map[uint32]*proto.PeerIndexSet {
-	if len(m) == 0 {
-		return nil
-	}
-	out := make(map[uint32]*proto.PeerIndexSet, len(m))
-	for checkXID, failedPeerIDs := range m {
-		seq, ok := e.components.PostureCheckXIDToSeq[checkXID]
-		if !ok || seq == 0 {
-			continue
-		}
-		idxs := make([]uint32, 0, len(failedPeerIDs))
-		for peerID := range failedPeerIDs {
-			if idx, ok := e.peerOrder[peerID]; ok {
-				idxs = append(idxs, idx)
-			}
-		}
-		if len(idxs) == 0 {
-			continue
-		}
-		out[seq] = &proto.PeerIndexSet{PeerIndexes: idxs}
-	}
-	return out
-}
-
-// toAccountSettingsCompact always returns a non-nil message — the client
-// dereferences it unconditionally during Calculate(), so a nil here would
-// crash the receiver. A missing types.AccountSettingsInfo on the server
-// (which shouldn't happen in production but the encoder is exported)
-// degrades to login_expiration_enabled = false, which makes
-// LoginExpired() return false for every peer.
-func toAccountSettingsCompact(s *types.AccountSettingsInfo) *proto.AccountSettingsCompact {
-	if s == nil {
-		return &proto.AccountSettingsCompact{}
-	}
-	return &proto.AccountSettingsCompact{
-		PeerLoginExpirationEnabled: s.PeerLoginExpirationEnabled,
-		PeerLoginExpirationNs:      int64(s.PeerLoginExpiration),
-	}
-}
-
-func toAccountNetwork(n *types.Network) *proto.AccountNetwork {
-	if n == nil {
-		return nil
-	}
-	out := &proto.AccountNetwork{
-		Identifier: n.Identifier,
-		NetCidr:    n.Net.String(),
-		Dns:        n.Dns,
-		Serial:     n.CurrentSerial(),
-	}
-	if len(n.NetV6.IP) > 0 {
-		out.NetV6Cidr = n.NetV6.String()
-	}
-	return out
-}
-
-func toPeerCompact(p *nbpeer.Peer, agentVersionIdx uint32) *proto.PeerCompact {
-	pc := &proto.PeerCompact{
-		WgPubKey:               decodeWgKey(p.Key),
-		SshPubKey:              []byte(p.SSHKey),
-		DnsLabel:               p.DNSLabel,
-		AgentVersionIdx:        agentVersionIdx,
-		AddedWithSsoLogin:      p.UserID != "",
-		LoginExpirationEnabled: p.LoginExpirationEnabled,
-		SshEnabled:             p.SSHEnabled,
-		SupportsIpv6:           p.SupportsIPv6(),
-		SupportsSourcePrefixes: p.SupportsSourcePrefixes(),
-		ServerSshAllowed:       p.Meta.Flags.ServerSSHAllowed,
-	}
-	if p.LastLogin != nil {
-		pc.LastLoginUnixNano = p.LastLogin.UnixNano()
-	}
-	switch {
-	case !p.IP.IsValid():
-		// leave Ip nil
-	case p.IP.Is4() || p.IP.Is4In6():
-		ip := p.IP.Unmap().As4()
-		pc.Ip = ip[:]
-	default:
-		ip := p.IP.As16()
-		pc.Ip = ip[:]
-	}
-	if p.IPv6.IsValid() {
-		ip := p.IPv6.As16()
-		pc.Ipv6 = ip[:]
-	}
-	return pc
-}
-
-// decodeWgKey returns the raw 32 bytes of a base64-encoded WireGuard public
-// key, or nil for an empty / malformed key.
-func decodeWgKey(s string) []byte {
-	if s == "" {
-		return nil
-	}
-	out := make([]byte, wgKeyRawLen)
-	n, err := base64.StdEncoding.Decode(out, []byte(s))
-	if err != nil || n != wgKeyRawLen {
-		return nil
-	}
-	return out
-}
-
-func portsToUint32(ports []string) []uint32 {
-	if len(ports) == 0 {
-		return nil
-	}
-	out := make([]uint32, 0, len(ports))
-	for _, p := range ports {
-		v, err := strconv.ParseUint(p, 10, 16)
-		if err != nil {
-			continue
-		}
-		out = append(out, uint32(v))
-	}
-	return out
-}
-
-func portRangesToProto(ranges []types.RulePortRange) []*proto.PortInfo_Range {
-	if len(ranges) == 0 {
-		return nil
-	}
-	out := make([]*proto.PortInfo_Range, 0, len(ranges))
-	for _, r := range ranges {
-		out = append(out, &proto.PortInfo_Range{
-			Start: uint32(r.Start),
-			End:   uint32(r.End),
-		})
-	}
-	return out
-}

management/internals/shared/grpc/components_encoder_test.go

@@ -1,879 +0,0 @@
-package grpc
-
-import (
-	"bytes"
-	"cmp"
-	"net"
-	"net/netip"
-	"slices"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	goproto "google.golang.org/protobuf/proto"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
-	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/types"
-	nbroute "github.com/netbirdio/netbird/route"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-const testWgKeyA = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopq="
-const testWgKeyB = "BBCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopq="
-const testWgKeyC = "CBCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopq="
-
-// canonicalize rewrites a NetworkMapComponentsFull in place into a canonical
-// form: peers reordered by wg_pub_key, with the rest of the message rewritten
-// to reference the new peer indexes. Groups, policies, and router indexes are
-// also sorted. After canonicalize, two envelopes built from the same logical
-// input compare byte-equal via proto.Equal.
-//
-// This lives on the test side — the encoder itself emits in map-iteration
-// order. Test-side normalization is the contract for "two encodes are
-// equivalent".
-func canonicalize(full *proto.NetworkMapComponentsFull) {
-	if full == nil {
-		return
-	}
-
-	// Canonicalize agent_versions first: sort the slice and rewrite each
-	// peer's AgentVersionIdx accordingly. The empty placeholder stays at
-	// index 0 by convention.
-	avRemap := make(map[uint32]uint32, len(full.AgentVersions))
-	if len(full.AgentVersions) > 0 {
-		// Pair version → original index, sort, rebuild.
-		type avEntry struct {
-			version string
-			oldIdx  uint32
-		}
-		entries := make([]avEntry, len(full.AgentVersions))
-		for i, v := range full.AgentVersions {
-			entries[i] = avEntry{version: v, oldIdx: uint32(i)}
-		}
-		// Empty stays at 0; sort the rest by string. Tiebreaker on oldIdx
-		// keeps the canonicalize output stable when two entries compare
-		// equal (the encoder dedups, but defending against future inputs).
-		slices.SortFunc(entries, func(a, b avEntry) int {
-			if a.version == "" && b.version != "" {
-				return -1
-			}
-			if b.version == "" && a.version != "" {
-				return 1
-			}
-			if c := cmp.Compare(a.version, b.version); c != 0 {
-				return c
-			}
-			return cmp.Compare(a.oldIdx, b.oldIdx)
-		})
-		newVersions := make([]string, len(entries))
-		for newIdx, e := range entries {
-			avRemap[e.oldIdx] = uint32(newIdx)
-			newVersions[newIdx] = e.version
-		}
-		full.AgentVersions = newVersions
-	}
-	for _, p := range full.Peers {
-		if newIdx, ok := avRemap[p.AgentVersionIdx]; ok {
-			p.AgentVersionIdx = newIdx
-		}
-	}
-
-	type peerEntry struct {
-		peer   *proto.PeerCompact
-		oldIdx uint32
-	}
-	entries := make([]peerEntry, len(full.Peers))
-	for i, p := range full.Peers {
-		entries[i] = peerEntry{peer: p, oldIdx: uint32(i)}
-	}
-	// DnsLabel is unique per peer; it tiebreaks on equal WgPubKey (e.g. both
-	// nil from malformed keys, or both empty for placeholders).
-	slices.SortFunc(entries, func(a, b peerEntry) int {
-		if c := bytes.Compare(a.peer.WgPubKey, b.peer.WgPubKey); c != 0 {
-			return c
-		}
-		return cmp.Compare(a.peer.DnsLabel, b.peer.DnsLabel)
-	})
-
-	remap := make(map[uint32]uint32, len(entries))
-	newPeers := make([]*proto.PeerCompact, len(entries))
-	for newIdx, e := range entries {
-		remap[e.oldIdx] = uint32(newIdx)
-		newPeers[newIdx] = e.peer
-	}
-	full.Peers = newPeers
-
-	full.RouterPeerIndexes = remapAndSort(full.RouterPeerIndexes, remap)
-	for _, g := range full.Groups {
-		g.PeerIndexes = remapAndSort(g.PeerIndexes, remap)
-	}
-	slices.SortFunc(full.Groups, func(a, b *proto.GroupCompact) int { return cmp.Compare(a.Id, b.Id) })
-
-	for _, r := range full.Routes {
-		if r.PeerIndexSet {
-			if newIdx, ok := remap[r.PeerIndex]; ok {
-				r.PeerIndex = newIdx
-			}
-		}
-		slices.Sort(r.GroupIds)
-		slices.Sort(r.AccessControlGroupIds)
-		slices.Sort(r.PeerGroupIds)
-	}
-	slices.SortFunc(full.Routes, func(a, b *proto.RouteRaw) int { return cmp.Compare(a.Id, b.Id) })
-
-	for _, list := range full.RoutersMap {
-		for _, entry := range list.Entries {
-			if entry.PeerIndexSet {
-				if newIdx, ok := remap[entry.PeerIndex]; ok {
-					entry.PeerIndex = newIdx
-				}
-			}
-			slices.Sort(entry.PeerGroupIds)
-		}
-		slices.SortFunc(list.Entries, func(a, b *proto.NetworkRouterEntry) int { return cmp.Compare(a.Id, b.Id) })
-	}
-
-	for _, set := range full.PostureFailedPeers {
-		set.PeerIndexes = remapAndSort(set.PeerIndexes, remap)
-	}
-
-	for _, p := range full.Policies {
-		slices.Sort(p.SourceGroupIds)
-		slices.Sort(p.DestinationGroupIds)
-	}
-	// Sort policies by (Id, source_group_ids, destination_group_ids) so that
-	// multiple PolicyCompact entries sharing the same Id (one per rule, when
-	// a Policy has multiple rules) still get a deterministic order. After
-	// sorting we remap indexes in ResourcePoliciesMap.
-	policyOldOrder := make(map[*proto.PolicyCompact]uint32, len(full.Policies))
-	for i, p := range full.Policies {
-		policyOldOrder[p] = uint32(i)
-	}
-	slices.SortFunc(full.Policies, func(a, b *proto.PolicyCompact) int {
-		if c := cmp.Compare(a.Id, b.Id); c != 0 {
-			return c
-		}
-		if c := slices.Compare(a.SourceGroupIds, b.SourceGroupIds); c != 0 {
-			return c
-		}
-		return slices.Compare(a.DestinationGroupIds, b.DestinationGroupIds)
-	})
-	policyRemap := make(map[uint32]uint32, len(full.Policies))
-	for newIdx, p := range full.Policies {
-		policyRemap[policyOldOrder[p]] = uint32(newIdx)
-	}
-	for _, idxs := range full.ResourcePoliciesMap {
-		idxs.Indexes = remapAndSort(idxs.Indexes, policyRemap)
-	}
-	for _, list := range full.GroupIdToUserIds {
-		slices.Sort(list.UserIds)
-	}
-	slices.Sort(full.AllowedUserIds)
-}
-
-func remapAndSort(idxs []uint32, remap map[uint32]uint32) []uint32 {
-	out := make([]uint32, 0, len(idxs))
-	for _, i := range idxs {
-		if newIdx, ok := remap[i]; ok {
-			out = append(out, newIdx)
-		}
-	}
-	slices.Sort(out)
-	return out
-}
-
-// envelopesEquivalent decodes both envelopes, canonicalizes them, and reports
-// whether they're proto.Equal. Use instead of byte-comparing marshaled output:
-// the encoder is intentionally non-deterministic.
-func envelopesEquivalent(a, b *proto.NetworkMapEnvelope) bool {
-	canonicalize(a.GetFull())
-	canonicalize(b.GetFull())
-	return goproto.Equal(a, b)
-}
-
-func newTestComponents() *types.NetworkMapComponents {
-	peerA := &nbpeer.Peer{
-		ID:       "peer-a",
-		Key:      testWgKeyA,
-		IP:       netip.AddrFrom4([4]byte{100, 64, 0, 1}),
-		DNSLabel: "peera",
-		SSHKey:   "ssh-a",
-		Status:   &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now()},
-		Meta:     nbpeer.PeerSystemMeta{WtVersion: "0.40.0"},
-	}
-	peerB := &nbpeer.Peer{
-		ID:       "peer-b",
-		Key:      testWgKeyB,
-		IP:       netip.AddrFrom4([4]byte{100, 64, 0, 2}),
-		IPv6:     netip.AddrFrom16([16]byte{0xfd, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2}),
-		DNSLabel: "peerb",
-		Meta:     nbpeer.PeerSystemMeta{WtVersion: "0.25.0"},
-	}
-	peerC := &nbpeer.Peer{
-		ID:       "peer-c",
-		Key:      testWgKeyC,
-		IP:       netip.AddrFrom4([4]byte{100, 64, 0, 3}),
-		DNSLabel: "peerc",
-		Meta:     nbpeer.PeerSystemMeta{WtVersion: "0.40.0"},
-	}
-
-	return &types.NetworkMapComponents{
-		PeerID: "peer-a",
-		Network: &types.Network{
-			Identifier: "net-test",
-			Net:        net.IPNet{IP: net.IP{100, 64, 0, 0}, Mask: net.CIDRMask(10, 32)},
-			Serial:     7,
-		},
-		AccountSettings: &types.AccountSettingsInfo{
-			PeerLoginExpirationEnabled: true,
-			PeerLoginExpiration:        2 * time.Hour,
-		},
-		Peers: map[string]*nbpeer.Peer{
-			"peer-a": peerA,
-			"peer-b": peerB,
-			"peer-c": peerC,
-		},
-		Groups: map[string]*types.Group{
-			"group-src": {ID: "group-src", AccountSeqID: 1, Name: "Src", Peers: []string{"peer-a"}},
-			"group-dst": {ID: "group-dst", AccountSeqID: 2, Name: "Dst", Peers: []string{"peer-b", "peer-c"}},
-		},
-		Policies: []*types.Policy{
-			{
-				ID:           "pol-1",
-				AccountSeqID: 10,
-				Enabled:      true,
-				Rules: []*types.PolicyRule{{
-					ID: "rule-1", Enabled: true, Action: types.PolicyTrafficActionAccept,
-					Protocol: types.PolicyRuleProtocolTCP, Bidirectional: true,
-					Ports:        []string{"22", "80"},
-					PortRanges:   []types.RulePortRange{{Start: 8000, End: 8100}},
-					Sources:      []string{"group-src"},
-					Destinations: []string{"group-dst"},
-				}},
-			},
-		},
-		RouterPeers: map[string]*nbpeer.Peer{"peer-c": peerC},
-	}
-}
-
-func TestEncodeNetworkMapEnvelope_Basic(t *testing.T) {
-	c := newTestComponents()
-	env := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{
-		Components: c,
-		DNSDomain:  "netbird.cloud",
-	})
-
-	require.NotNil(t, env)
-	full := env.GetFull()
-	require.NotNil(t, full, "envelope must contain Full payload")
-
-	assert.EqualValues(t, 7, full.Serial)
-	assert.Equal(t, "netbird.cloud", full.DnsDomain)
-
-	require.NotNil(t, full.Network)
-	assert.Equal(t, "net-test", full.Network.Identifier)
-	assert.Equal(t, "100.64.0.0/10", full.Network.NetCidr)
-
-	require.NotNil(t, full.AccountSettings)
-	assert.True(t, full.AccountSettings.PeerLoginExpirationEnabled)
-	assert.EqualValues(t, (2 * time.Hour).Nanoseconds(), full.AccountSettings.PeerLoginExpirationNs)
-
-	require.Len(t, full.Peers, 3)
-	byLabel := map[string]*proto.PeerCompact{}
-	for _, p := range full.Peers {
-		assert.Len(t, p.WgPubKey, 32, "wg key must be raw 32 bytes")
-		assert.Len(t, p.Ip, 4, "ipv4 must be raw 4 bytes")
-		byLabel[p.DnsLabel] = p
-	}
-	assert.Len(t, byLabel["peerb"].Ipv6, 16, "peer-b has ipv6 → 16 bytes")
-}
-
-func TestEncodeNetworkMapEnvelope_RepeatEncodesEquivalent(t *testing.T) {
-	c := newTestComponents()
-
-	expected := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c})
-
-	// Hammer it 100 times — Go map iteration is randomized per call, so each
-	// run produces different wire bytes, but the canonicalized form must
-	// match.
-	for i := 0; i < 100; i++ {
-		got := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c})
-		require.True(t, envelopesEquivalent(expected, got),
-			"encode #%d must be semantically equivalent to first encode", i)
-	}
-}
-
-func TestEncodeNetworkMapEnvelope_ConcurrentEncodesEquivalent(t *testing.T) {
-	c := newTestComponents()
-
-	expected := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c})
-
-	const goroutines = 50
-	var wg sync.WaitGroup
-	wg.Add(goroutines)
-	results := make([]*proto.NetworkMapEnvelope, goroutines)
-	for i := 0; i < goroutines; i++ {
-		i := i
-		go func() {
-			defer wg.Done()
-			results[i] = EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c})
-		}()
-	}
-	wg.Wait()
-
-	for i, got := range results {
-		require.NotNil(t, got, "goroutine %d returned nil", i)
-		require.True(t, envelopesEquivalent(expected, got),
-			"goroutine %d produced inequivalent envelope", i)
-	}
-}
-
-func TestEncodeNetworkMapEnvelope_GroupsByAccountSeqID(t *testing.T) {
-	c := newTestComponents()
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	require.Len(t, full.Groups, 2)
-
-	groupByID := map[uint32]*proto.GroupCompact{}
-	for _, g := range full.Groups {
-		groupByID[g.Id] = g
-	}
-	require.Contains(t, groupByID, uint32(1))
-	require.Contains(t, groupByID, uint32(2))
-	assert.Equal(t, "Src", groupByID[1].Name)
-	assert.Equal(t, "Dst", groupByID[2].Name)
-	assert.Len(t, groupByID[1].PeerIndexes, 1)
-	assert.Len(t, groupByID[2].PeerIndexes, 2)
-}
-
-func TestEncodeNetworkMapEnvelope_PolicyExpansion(t *testing.T) {
-	c := newTestComponents()
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	require.Len(t, full.Policies, 1)
-	pc := full.Policies[0]
-	assert.EqualValues(t, 10, pc.Id)
-	assert.Equal(t, proto.RuleAction_ACCEPT, pc.Action)
-	assert.Equal(t, proto.RuleProtocol_TCP, pc.Protocol)
-	assert.True(t, pc.Bidirectional)
-	assert.Equal(t, []uint32{22, 80}, pc.Ports)
-	require.Len(t, pc.PortRanges, 1)
-	assert.EqualValues(t, 8000, pc.PortRanges[0].Start)
-	assert.EqualValues(t, 8100, pc.PortRanges[0].End)
-	assert.Equal(t, []uint32{1}, pc.SourceGroupIds)
-	assert.Equal(t, []uint32{2}, pc.DestinationGroupIds)
-}
-
-func TestEncodeNetworkMapEnvelope_RouterIndexes(t *testing.T) {
-	c := newTestComponents()
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	require.Len(t, full.RouterPeerIndexes, 1)
-	idx := full.RouterPeerIndexes[0]
-	require.Less(t, int(idx), len(full.Peers))
-	assert.Equal(t, "peerc", full.Peers[idx].DnsLabel)
-}
-
-func TestEncodeNetworkMapEnvelope_AgentVersionDedup(t *testing.T) {
-	c := newTestComponents()
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	require.Len(t, full.AgentVersions, 3, "empty placeholder + 2 distinct versions")
-	assert.Equal(t, "", full.AgentVersions[0], "index 0 reserved for empty version")
-	assert.ElementsMatch(t, []string{"0.40.0", "0.25.0"}, full.AgentVersions[1:],
-		"two distinct versions, order depends on map iteration")
-
-	idxByLabel := map[string]uint32{}
-	for _, p := range full.Peers {
-		idxByLabel[p.DnsLabel] = p.AgentVersionIdx
-	}
-	assert.Equal(t, idxByLabel["peera"], idxByLabel["peerc"], "peers with the same agent version share an index")
-	assert.NotEqual(t, idxByLabel["peera"], idxByLabel["peerb"])
-}
-
-func TestEncodeNetworkMapEnvelope_DisabledPolicySkipped(t *testing.T) {
-	c := newTestComponents()
-	c.Policies[0].Enabled = false
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	assert.Empty(t, full.Policies)
-}
-
-func TestEncodeNetworkMapEnvelope_GroupZeroSeqIDSkipped(t *testing.T) {
-	c := newTestComponents()
-	c.Groups["group-src"].AccountSeqID = 0
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	require.Len(t, full.Groups, 1, "groups with AccountSeqID=0 are not yet persisted and must be skipped")
-	assert.EqualValues(t, 2, full.Groups[0].Id)
-
-	require.Len(t, full.Policies, 1)
-	pc := full.Policies[0]
-	assert.Empty(t, pc.SourceGroupIds, "rule references a group that was filtered out → no group id on wire")
-	assert.Equal(t, []uint32{2}, pc.DestinationGroupIds)
-}
-
-func TestEncodeNetworkMapEnvelope_TwoPeersSameMalformedKey(t *testing.T) {
-	// Both peers have nil WgPubKey after decode; canonicalize must still
-	// produce a stable order using DnsLabel as a tiebreaker, so 100 encodes
-	// canonicalize identically.
-	c := newTestComponents()
-	c.Peers["peer-a"].Key = "garbage-a-!!!"
-	c.Peers["peer-b"].Key = "garbage-b-!!!"
-
-	expected := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c})
-	for i := 0; i < 100; i++ {
-		got := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c})
-		require.True(t, envelopesEquivalent(expected, got),
-			"encode #%d with two same-key peers must canonicalize equivalently", i)
-	}
-}
-
-func TestEncodeNetworkMapEnvelope_MalformedWgKey(t *testing.T) {
-	c := newTestComponents()
-	c.Peers["peer-a"].Key = "not-base64-!!!"
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	require.Len(t, full.Peers, 3)
-
-	var byLabel = map[string]*proto.PeerCompact{}
-	for _, p := range full.Peers {
-		byLabel[p.DnsLabel] = p
-	}
-	assert.Nil(t, byLabel["peera"].WgPubKey, "peer with malformed key encodes nil WgPubKey")
-	assert.Len(t, byLabel["peerb"].WgPubKey, 32, "other peers retain their key")
-}
-
-func TestEncodeNetworkMapEnvelope_IPv6OnlyPeer(t *testing.T) {
-	c := newTestComponents()
-	v6Only := &nbpeer.Peer{
-		ID:       "peer-v6",
-		Key:      testWgKeyA,
-		IPv6:     netip.AddrFrom16([16]byte{0xfd, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9}),
-		DNSLabel: "peerv6",
-		Meta:     nbpeer.PeerSystemMeta{WtVersion: "0.40.0"},
-	}
-	c.Peers["peer-v6"] = v6Only
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	var found *proto.PeerCompact
-	for _, p := range full.Peers {
-		if p.DnsLabel == "peerv6" {
-			found = p
-		}
-	}
-	require.NotNil(t, found, "ipv6-only peer must be present")
-	assert.Empty(t, found.Ip, "no IPv4 address → empty Ip")
-	assert.Len(t, found.Ipv6, 16)
-}
-
-func TestEncodeNetworkMapEnvelope_PeerWithoutIP(t *testing.T) {
-	c := newTestComponents()
-	c.Peers["peer-noip"] = &nbpeer.Peer{
-		ID:       "peer-noip",
-		Key:      testWgKeyA,
-		DNSLabel: "peernoip",
-		Meta:     nbpeer.PeerSystemMeta{WtVersion: "0.40.0"},
-	}
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	var found *proto.PeerCompact
-	for _, p := range full.Peers {
-		if p.DnsLabel == "peernoip" {
-			found = p
-		}
-	}
-	require.NotNil(t, found)
-	assert.Empty(t, found.Ip)
-	assert.Empty(t, found.Ipv6)
-}
-
-func TestEncodeNetworkMapEnvelope_EmptyInput(t *testing.T) {
-	c := &types.NetworkMapComponents{
-		Network: &types.Network{Identifier: "x", Net: net.IPNet{IP: net.IP{100, 64, 0, 0}, Mask: net.CIDRMask(10, 32)}},
-	}
-
-	env := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c})
-
-	full := env.GetFull()
-	require.NotNil(t, full)
-	assert.Empty(t, full.Peers)
-	assert.Empty(t, full.Groups)
-	assert.Empty(t, full.Policies)
-	assert.Empty(t, full.RouterPeerIndexes)
-	require.NotNil(t, full.AccountSettings, "AccountSettingsCompact must always be emitted (client dereferences it unconditionally)")
-}
-
-func TestEncodeNetworkMapEnvelope_PeerLoginExpirationFields(t *testing.T) {
-	c := newTestComponents()
-	now := time.Date(2024, 1, 2, 3, 4, 5, 0, time.UTC)
-	c.Peers["peer-a"].UserID = "user-1"
-	c.Peers["peer-a"].LoginExpirationEnabled = true
-	c.Peers["peer-a"].LastLogin = &now
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	var pa *proto.PeerCompact
-	for _, p := range full.Peers {
-		if p.DnsLabel == "peera" {
-			pa = p
-		}
-	}
-	require.NotNil(t, pa)
-	assert.True(t, pa.AddedWithSsoLogin)
-	assert.True(t, pa.LoginExpirationEnabled)
-	assert.Equal(t, now.UnixNano(), pa.LastLoginUnixNano)
-
-	// peer-b has no UserID and no LastLogin → all fields zero-value.
-	var pb *proto.PeerCompact
-	for _, p := range full.Peers {
-		if p.DnsLabel == "peerb" {
-			pb = p
-		}
-	}
-	require.NotNil(t, pb)
-	assert.False(t, pb.AddedWithSsoLogin)
-	assert.False(t, pb.LoginExpirationEnabled)
-	assert.Zero(t, pb.LastLoginUnixNano)
-}
-
-func TestEncodeNetworkMapEnvelope_RoutesRoundTrip(t *testing.T) {
-	c := newTestComponents()
-	c.Routes = []*nbroute.Route{
-		{
-			ID:                  "route-peer",
-			AccountSeqID:        100,
-			NetID:               "net-A",
-			Description:         "via peer-c",
-			Network:             netip.MustParsePrefix("10.0.0.0/16"),
-			Peer:                "peer-c", // peer ID, not WG key
-			Groups:              []string{"group-src"},
-			AccessControlGroups: []string{"group-dst"},
-			Enabled:             true,
-		},
-		{
-			ID:           "route-peergroup",
-			AccountSeqID: 101,
-			NetID:        "net-B",
-			Network:      netip.MustParsePrefix("10.1.0.0/16"),
-			PeerGroups:   []string{"group-src", "group-dst"},
-			Enabled:      true,
-		},
-		{
-			ID:           "route-no-seq",
-			AccountSeqID: 0, // unset — should still ship (no group seq filter on routes)
-			Network:      netip.MustParsePrefix("10.2.0.0/16"),
-			Enabled:      true,
-		},
-	}
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	require.Len(t, full.Routes, 3)
-	byNetID := map[string]*proto.RouteRaw{}
-	for _, r := range full.Routes {
-		byNetID[r.NetId] = r
-	}
-
-	r1 := byNetID["net-A"]
-	require.NotNil(t, r1)
-	assert.True(t, r1.PeerIndexSet, "route with peer must set peer_index_set")
-	require.Less(t, int(r1.PeerIndex), len(full.Peers))
-	assert.Equal(t, "peerc", full.Peers[r1.PeerIndex].DnsLabel)
-	assert.Equal(t, []uint32{1}, r1.GroupIds, "group-src has AccountSeqID 1")
-	assert.Equal(t, []uint32{2}, r1.AccessControlGroupIds, "group-dst has AccountSeqID 2")
-	assert.Empty(t, r1.PeerGroupIds)
-
-	r2 := byNetID["net-B"]
-	require.NotNil(t, r2)
-	assert.False(t, r2.PeerIndexSet, "route with peer_groups must NOT set peer_index_set")
-	assert.ElementsMatch(t, []uint32{1, 2}, r2.PeerGroupIds)
-}
-
-func TestEncodeNetworkMapEnvelope_RouteWithMissingPeerLeavesIndexUnset(t *testing.T) {
-	c := newTestComponents()
-	c.Routes = []*nbroute.Route{{
-		ID:           "route-x",
-		AccountSeqID: 100,
-		Peer:         "peer-not-in-components",
-		Network:      netip.MustParsePrefix("10.0.0.0/16"),
-		Enabled:      true,
-	}}
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	require.Len(t, full.Routes, 1)
-	assert.False(t, full.Routes[0].PeerIndexSet,
-		"missing peer reference must not pretend to point at peer index 0")
-}
-
-func TestEncodeNetworkMapEnvelope_ResourceOnlyPolicyShippedAndIndexed(t *testing.T) {
-	c := newTestComponents()
-	// Policy that exists ONLY in ResourcePoliciesMap, not in c.Policies. This
-	// is the I1 case — without unionPolicies the encoder would silently
-	// drop it from the wire.
-	resourceOnlyPolicy := &types.Policy{
-		ID: "pol-resource", AccountSeqID: 99, Enabled: true,
-		Rules: []*types.PolicyRule{{
-			ID: "rule-r", Enabled: true, Action: types.PolicyTrafficActionAccept,
-			Protocol:     types.PolicyRuleProtocolTCP,
-			Sources:      []string{"group-src"},
-			Destinations: []string{"group-dst"},
-		}},
-	}
-	c.ResourcePoliciesMap = map[string][]*types.Policy{
-		"resource-x": {c.Policies[0], resourceOnlyPolicy}, // shared + resource-only
-	}
-	// Resource must appear in components.NetworkResources with a seq id —
-	// encoder uses that to translate the xid map key to uint32.
-	c.NetworkResources = []*resourceTypes.NetworkResource{
-		{ID: "resource-x", AccountSeqID: 77, Name: "res-x", Enabled: true},
-	}
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	require.Len(t, full.Policies, 2, "encoded policies must include both peer-traffic and resource-only")
-
-	policyByID := map[uint32]*proto.PolicyCompact{}
-	policyIdxByID := map[uint32]uint32{}
-	for i, p := range full.Policies {
-		policyByID[p.Id] = p
-		policyIdxByID[p.Id] = uint32(i)
-	}
-	require.Contains(t, policyByID, uint32(10), "original peer-traffic policy id 10")
-	require.Contains(t, policyByID, uint32(99), "resource-only policy id 99")
-
-	require.Contains(t, full.ResourcePoliciesMap, uint32(77))
-	idxs := full.ResourcePoliciesMap[77].Indexes
-	require.Len(t, idxs, 2)
-	assert.ElementsMatch(t, []uint32{policyIdxByID[10], policyIdxByID[99]}, idxs,
-		"resource policies map must reference both wire policy indexes")
-}
-
-func TestEncodeNetworkMapEnvelope_NameServerGroups(t *testing.T) {
-	c := newTestComponents()
-	c.NameServerGroups = []*nbdns.NameServerGroup{{
-		ID: "nsg-1", AccountSeqID: 50, Name: "Main", Description: "primary",
-		NameServers: []nbdns.NameServer{{
-			IP: netip.MustParseAddr("8.8.8.8"), NSType: nbdns.UDPNameServerType, Port: 53,
-		}},
-		Groups:  []string{"group-src", "group-not-persisted"},
-		Primary: true, Enabled: true,
-		Domains: []string{"corp.example"},
-	}}
-	c.Groups["group-not-persisted"] = &types.Group{ID: "group-not-persisted", AccountSeqID: 0, Peers: []string{}}
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	require.Len(t, full.NameserverGroups, 1)
-	nsg := full.NameserverGroups[0]
-	assert.EqualValues(t, 50, nsg.Id)
-	assert.Equal(t, "Main", nsg.Name)
-	assert.True(t, nsg.Primary)
-	require.Len(t, nsg.Nameservers, 1)
-	assert.Equal(t, "8.8.8.8", nsg.Nameservers[0].IP)
-	assert.Equal(t, []uint32{1}, nsg.GroupIds, "group-not-persisted is filtered out (AccountSeqID=0)")
-}
-
-func TestEncodeNetworkMapEnvelope_PostureFailedPeers(t *testing.T) {
-	c := newTestComponents()
-	c.PostureCheckXIDToSeq = map[string]uint32{"check-1": 33}
-	c.PostureFailedPeers = map[string]map[string]struct{}{
-		"check-1": {
-			"peer-a":              {},
-			"peer-b":              {},
-			"peer-not-in-account": {},
-		},
-	}
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	require.Contains(t, full.PostureFailedPeers, uint32(33))
-	idxs := full.PostureFailedPeers[33].PeerIndexes
-	assert.Len(t, idxs, 2, "missing peer is silently dropped (filterPostureFailedPeers guarantees presence in real data)")
-}
-
-func TestEncodeNetworkMapEnvelope_RoutersMap(t *testing.T) {
-	c := newTestComponents()
-	c.NetworkXIDToSeq = map[string]uint32{"net-1": 5}
-	c.RoutersMap = map[string]map[string]*routerTypes.NetworkRouter{
-		"net-1": {
-			"peer-c": {
-				ID: "router-1", AccountSeqID: 200,
-				Peer: "peer-c", Masquerade: true, Metric: 10, Enabled: true,
-			},
-		},
-	}
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	require.Contains(t, full.RoutersMap, uint32(5))
-	entries := full.RoutersMap[5].Entries
-	require.Len(t, entries, 1)
-	e := entries[0]
-	assert.EqualValues(t, 200, e.Id)
-	assert.True(t, e.PeerIndexSet)
-	require.Less(t, int(e.PeerIndex), len(full.Peers))
-	assert.Equal(t, "peerc", full.Peers[e.PeerIndex].DnsLabel)
-	assert.True(t, e.Masquerade)
-	assert.EqualValues(t, 10, e.Metric)
-	assert.True(t, e.Enabled)
-}
-
-func TestEncodeNetworkMapEnvelope_RouterPeerNotInComponentsPeers(t *testing.T) {
-	// Router peer in c.RouterPeers but NOT in c.Peers (validation may have
-	// filtered it). indexRouterPeers runs before encodeRoutersMap, so the
-	// peer_index reference must still resolve.
-	c := newTestComponents()
-	delete(c.Peers, "peer-c")
-	routerPeer := &nbpeer.Peer{
-		ID: "peer-c", Key: testWgKeyC, IP: netip.AddrFrom4([4]byte{100, 64, 0, 3}),
-		DNSLabel: "peerc", Meta: nbpeer.PeerSystemMeta{WtVersion: "0.40.0"},
-	}
-	c.RouterPeers = map[string]*nbpeer.Peer{"peer-c": routerPeer}
-	c.NetworkXIDToSeq = map[string]uint32{"net-1": 5}
-	c.RoutersMap = map[string]map[string]*routerTypes.NetworkRouter{
-		"net-1": {"peer-c": {ID: "r-1", AccountSeqID: 1, Peer: "peer-c", Enabled: true}},
-	}
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	require.Contains(t, full.RoutersMap, uint32(5))
-	require.Len(t, full.RoutersMap[5].Entries, 1)
-	e := full.RoutersMap[5].Entries[0]
-	assert.True(t, e.PeerIndexSet, "router peer must be indexed even when not in c.Peers")
-}
-
-func TestEncodeNetworkMapEnvelope_DNSSettingsFiltersUnpersistedGroups(t *testing.T) {
-	c := newTestComponents()
-	c.DNSSettings = &types.DNSSettings{
-		DisabledManagementGroups: []string{"group-src", "group-missing", "group-no-seq"},
-	}
-	c.Groups["group-no-seq"] = &types.Group{ID: "group-no-seq", AccountSeqID: 0}
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	require.NotNil(t, full.DnsSettings)
-	assert.Equal(t, []uint32{1}, full.DnsSettings.DisabledManagementGroupIds,
-		"only group-src (AccountSeqID=1) survives — missing and unpersisted are dropped")
-}
-
-func TestEncodeNetworkMapEnvelope_GroupIDToUserIDs(t *testing.T) {
-	c := newTestComponents()
-	c.GroupIDToUserIDs = map[string][]string{
-		"group-src":     {"user-1", "user-2"},
-		"group-no-seq":  {"user-3"}, // group not persisted → drop
-		"group-missing": {"user-4"}, // group not in components → drop
-	}
-	c.Groups["group-no-seq"] = &types.Group{ID: "group-no-seq", AccountSeqID: 0}
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	require.Len(t, full.GroupIdToUserIds, 1, "only persisted+present groups survive")
-	require.Contains(t, full.GroupIdToUserIds, uint32(1))
-	assert.ElementsMatch(t, []string{"user-1", "user-2"}, full.GroupIdToUserIds[1].UserIds)
-}
-
-func TestToProxyPatch_EmptyInputReturnsNil(t *testing.T) {
-	assert.Nil(t, toProxyPatch(nil, "netbird.cloud", false, false))
-	assert.Nil(t, toProxyPatch(&types.NetworkMap{}, "netbird.cloud", false, false),
-		"empty NetworkMap (no peers, rules, routes etc) → nil patch so proto3 omits the field")
-}
-
-func TestToProxyPatch_PopulatesAllFields(t *testing.T) {
-	nm := &types.NetworkMap{
-		Peers: []*nbpeer.Peer{{
-			ID: "ext-peer", Key: testWgKeyA, IP: netip.AddrFrom4([4]byte{100, 64, 0, 9}),
-			DNSLabel: "extpeer", Meta: nbpeer.PeerSystemMeta{WtVersion: "0.40.0"},
-		}},
-		FirewallRules: []*types.FirewallRule{{
-			PeerIP: "100.64.0.9", Action: "accept", Direction: 0, Protocol: "tcp",
-		}},
-	}
-
-	patch := toProxyPatch(nm, "netbird.cloud", false, false)
-
-	require.NotNil(t, patch)
-	assert.Len(t, patch.Peers, 1)
-	assert.Len(t, patch.FirewallRules, 1)
-}
-
-// TestEncodeNetworkMapEnvelope_ProxyPatchPropagated covers the ProxyPatch
-// pass-through in both encoder branches (normal path + nil-Components
-// graceful-degrade). Guards against a regression that drops `ProxyPatch:`
-// from one of the envelope struct literals.
-func TestEncodeNetworkMapEnvelope_ProxyPatchPropagated(t *testing.T) {
-	patch := &proto.ProxyPatch{
-		ForwardingRules: []*proto.ForwardingRule{{
-			Protocol:          proto.RuleProtocol_TCP,
-			DestinationPort:   &proto.PortInfo{PortSelection: &proto.PortInfo_Port{Port: 80}},
-			TranslatedAddress: net.IPv4(10, 0, 0, 1).To4(),
-			TranslatedPort:    &proto.PortInfo{PortSelection: &proto.PortInfo_Port{Port: 8080}},
-		}},
-	}
-
-	t.Run("normal_path", func(t *testing.T) {
-		c := newTestComponents()
-		full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{
-			Components: c,
-			ProxyPatch: patch,
-		}).GetFull()
-
-		require.NotNil(t, full.ProxyPatch, "ProxyPatch must propagate through the normal encode path")
-		assert.Len(t, full.ProxyPatch.ForwardingRules, 1)
-	})
-
-	t.Run("nil_components_graceful_degrade", func(t *testing.T) {
-		full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{
-			Components: nil,
-			ProxyPatch: patch,
-		}).GetFull()
-
-		require.NotNil(t, full.ProxyPatch, "ProxyPatch must propagate through the nil-Components branch too")
-		assert.Len(t, full.ProxyPatch.ForwardingRules, 1)
-	})
-}
-
-func TestEncodeNetworkMapEnvelope_NilComponentsGracefulDegrade(t *testing.T) {
-	// nil Components → minimal envelope, no crash. Matches the legacy
-	// behaviour for missing/unvalidated peers.
-	env := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{
-		Components: nil,
-		DNSDomain:  "netbird.cloud",
-	})
-
-	require.NotNil(t, env)
-	full := env.GetFull()
-	require.NotNil(t, full)
-	require.NotNil(t, full.AccountSettings, "AccountSettings must always be non-nil")
-	assert.Equal(t, "netbird.cloud", full.DnsDomain)
-	assert.Empty(t, full.Peers)
-	assert.Empty(t, full.Policies)
-}
-
-func TestEncodeNetworkMapEnvelope_AccountSettingsAlwaysEmitted(t *testing.T) {
-	c := &types.NetworkMapComponents{
-		Network: &types.Network{Identifier: "x", Net: net.IPNet{IP: net.IP{100, 64, 0, 0}, Mask: net.CIDRMask(10, 32)}},
-		// AccountSettings deliberately nil
-	}
-
-	full := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{Components: c}).GetFull()
-
-	require.NotNil(t, full.AccountSettings, "client dereferences AccountSettings unconditionally during Calculate(); a nil here would crash the receiver")
-	assert.False(t, full.AccountSettings.PeerLoginExpirationEnabled)
-	assert.Zero(t, full.AccountSettings.PeerLoginExpirationNs)
-}

management/internals/shared/grpc/components_envelope_response.go

@@ -1,192 +0,0 @@
-package grpc
-
-import (
-	"context"
-
-	integrationsConfig "github.com/netbirdio/management-integrations/integrations/config"
-
-	"github.com/netbirdio/netbird/client/ssh/auth"
-	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/posture"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/management/networkmap"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// ToComponentSyncResponse builds a SyncResponse carrying the compact
-// NetworkMapEnvelope for capability-aware peers. The legacy proto.NetworkMap
-// field is intentionally left empty — capable peers ignore it and the
-// envelope alone is the authoritative wire shape.
-//
-// PeerConfig is computed once server-side using the receiving peer's own
-// account-level network metadata. EnableSSH inside PeerConfig is left at
-// peer.SSHEnabled (the peer's local setting); account-policy-driven SSH is
-// computed by the client from the envelope's GroupIDToUserIDs / AllowedUserIDs
-// inside Calculate(), so the SshConfig.SshEnabled bit may flip true on the
-// client even though the server-side PeerConfig reports false.
-func ToComponentSyncResponse(
-	ctx context.Context,
-	config *nbconfig.Config,
-	httpConfig *nbconfig.HttpServerConfig,
-	deviceFlowConfig *nbconfig.DeviceAuthorizationFlow,
-	peer *nbpeer.Peer,
-	turnCredentials *Token,
-	relayCredentials *Token,
-	components *types.NetworkMapComponents,
-	proxyPatch *types.NetworkMap,
-	dnsName string,
-	checks []*posture.Checks,
-	settings *types.Settings,
-	extraSettings *types.ExtraSettings,
-	peerGroups []string,
-	dnsFwdPort int64,
-) *proto.SyncResponse {
-	network := networkOrZero(components)
-	enableSSH := computeSSHEnabledForPeer(components, peer)
-	peerConfig := toPeerConfig(peer, network, dnsName, settings, httpConfig, deviceFlowConfig, enableSSH)
-
-	includeIPv6 := peer.SupportsIPv6() && peer.IPv6.IsValid()
-	useSourcePrefixes := peer.SupportsSourcePrefixes()
-
-	userIDClaim := auth.DefaultUserIDClaim
-	if httpConfig != nil && httpConfig.AuthUserIDClaim != "" {
-		userIDClaim = httpConfig.AuthUserIDClaim
-	}
-
-	envelope := EncodeNetworkMapEnvelope(ComponentsEnvelopeInput{
-		Components:       components,
-		PeerConfig:       peerConfig,
-		DNSDomain:        dnsName,
-		DNSForwarderPort: dnsFwdPort,
-		UserIDClaim:      userIDClaim,
-		ProxyPatch:       toProxyPatch(proxyPatch, dnsName, includeIPv6, useSourcePrefixes),
-	})
-
-	resp := &proto.SyncResponse{
-		PeerConfig:         peerConfig,
-		NetworkMapEnvelope: envelope,
-		Checks:             toProtocolChecks(ctx, checks),
-	}
-
-	nbConfig := toNetbirdConfig(config, turnCredentials, relayCredentials, extraSettings)
-	resp.NetbirdConfig = integrationsConfig.ExtendNetBirdConfig(peer.ID, peerGroups, nbConfig, extraSettings)
-
-	return resp
-}
-
-// networkOrZero returns components.Network or a zero Network — toPeerConfig
-// dereferences network.Net which would panic on nil.
-func networkOrZero(c *types.NetworkMapComponents) *types.Network {
-	if c == nil || c.Network == nil {
-		return &types.Network{}
-	}
-	return c.Network
-}
-
-// toProxyPatch converts a proxy-injected *types.NetworkMap into the wire
-// patch the components envelope ships alongside. Returns nil when there are
-// no fragments to merge — proto3 omits a nil message field, so the receiver
-// sees no patch and skips the merge step entirely.
-//
-// We reuse the legacy proto-conversion helpers (toProtocolRoutes,
-// toProtocolFirewallRules, toProtocolRoutesFirewallRules,
-// appendRemotePeerConfig, ForwardingRule.ToProto) because the proxy
-// delivers fragments pre-expanded — there's no raw component shape to
-// derive them from. Components purity isn't violated: proxy data isn't
-// policy-graph-derived, it's externally injected post-Calculate, so the
-// client merges it on top of its locally-computed NetworkMap.
-func toProxyPatch(nm *types.NetworkMap, dnsName string, includeIPv6, useSourcePrefixes bool) *proto.ProxyPatch {
-	if nm == nil {
-		return nil
-	}
-	if len(nm.Peers) == 0 && len(nm.OfflinePeers) == 0 && len(nm.FirewallRules) == 0 &&
-		len(nm.Routes) == 0 && len(nm.RoutesFirewallRules) == 0 && len(nm.ForwardingRules) == 0 {
-		return nil
-	}
-
-	patch := &proto.ProxyPatch{
-		Peers:              networkmap.AppendRemotePeerConfig(nil, nm.Peers, dnsName, includeIPv6),
-		OfflinePeers:       networkmap.AppendRemotePeerConfig(nil, nm.OfflinePeers, dnsName, includeIPv6),
-		FirewallRules:      networkmap.ToProtocolFirewallRules(nm.FirewallRules, includeIPv6, useSourcePrefixes),
-		Routes:             networkmap.ToProtocolRoutes(nm.Routes),
-		RouteFirewallRules: networkmap.ToProtocolRoutesFirewallRules(nm.RoutesFirewallRules),
-	}
-	if len(nm.ForwardingRules) > 0 {
-		patch.ForwardingRules = make([]*proto.ForwardingRule, 0, len(nm.ForwardingRules))
-		for _, r := range nm.ForwardingRules {
-			patch.ForwardingRules = append(patch.ForwardingRules, r.ToProto())
-		}
-	}
-	return patch
-}
-
-// computeSSHEnabledForPeer mirrors the SSH-server-activation bit that
-// Calculate() folds into NetworkMap.EnableSSH. Components-format peers
-// receive a freshly-computed PeerConfig.SshConfig.SshEnabled at sync time;
-// without this helper the field would be incorrectly false for any peer
-// that's the destination of an SSH-enabling policy without having
-// peer.SSHEnabled set locally.
-//
-// Mirrors the two activation paths Calculate() uses:
-//  1. Explicit: rule.Protocol == NetbirdSSH and peer is in the rule's
-//     destinations.
-//  2. Legacy implicit: rule covers TCP/22 or TCP/22022 (or ALL), peer is in
-//     destinations, AND the peer has SSHEnabled set locally — this is the
-//     "allow-all/TCP-22 implies SSH activation for SSH-capable peers" path.
-//
-// The full SSH AuthorizedUsers map is still produced by the client when it
-// runs Calculate() over the envelope.
-func computeSSHEnabledForPeer(c *types.NetworkMapComponents, peer *nbpeer.Peer) bool {
-	if c == nil || peer == nil {
-		return false
-	}
-	// Mirror Calculate's `getAllPeersFromGroups` invariant: target peer must
-	// exist in c.Peers, otherwise no rule applies to it.
-	if _, ok := c.Peers[peer.ID]; !ok {
-		return false
-	}
-	for _, policy := range c.Policies {
-		if policy == nil || !policy.Enabled {
-			continue
-		}
-		for _, rule := range policy.Rules {
-			if ruleEnablesSSHForPeer(c, rule, peer) {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-// ruleEnablesSSHForPeer returns true when rule is active, targets peer, and
-// either explicitly authorises SSH or covers the legacy TCP/22 path while the
-// peer itself has SSH enabled locally.
-func ruleEnablesSSHForPeer(c *types.NetworkMapComponents, rule *types.PolicyRule, peer *nbpeer.Peer) bool {
-	if rule == nil || !rule.Enabled {
-		return false
-	}
-	if !peerInDestinations(c, rule, peer.ID) {
-		return false
-	}
-	if rule.Protocol == types.PolicyRuleProtocolNetbirdSSH {
-		return true
-	}
-	return peer.SSHEnabled && types.PolicyRuleImpliesLegacySSH(rule)
-}
-
-// peerInDestinations reports whether peerID is in any of rule.Destinations'
-// groups (or matches DestinationResource if it's a peer-typed resource —
-// for non-peer types Calculate falls through to group lookup, so we mirror
-// that exactly to avoid silent divergence).
-func peerInDestinations(c *types.NetworkMapComponents, rule *types.PolicyRule, peerID string) bool {
-	if rule.DestinationResource.Type == types.ResourceTypePeer && rule.DestinationResource.ID != "" {
-		return rule.DestinationResource.ID == peerID
-	}
-	for _, groupID := range rule.Destinations {
-		if c.IsPeerInGroup(peerID, groupID) {
-			return true
-		}
-	}
-	return false
-}

management/internals/shared/grpc/components_envelope_response_test.go

@@ -1,184 +0,0 @@
-package grpc
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/types"
-)
-
-// TestComputeSSHEnabledForPeer covers both Calculate-mirroring branches:
-// explicit NetbirdSSH protocol, and the legacy implicit case where a
-// TCP/22 (or 22022 / ALL / port-range-covering-22) rule activates SSH when
-// the destination peer has SSHEnabled=true locally.
-func TestComputeSSHEnabledForPeer(t *testing.T) {
-	const targetPeerID = "target"
-	const targetGroupID = "g_dst"
-
-	mkComponents := func(rule *types.PolicyRule, sshEnabled bool) (*types.NetworkMapComponents, *nbpeer.Peer) {
-		peer := &nbpeer.Peer{ID: targetPeerID, SSHEnabled: sshEnabled}
-		group := &types.Group{ID: targetGroupID, Name: "dst", Peers: []string{targetPeerID}}
-		return &types.NetworkMapComponents{
-			Peers:  map[string]*nbpeer.Peer{targetPeerID: peer},
-			Groups: map[string]*types.Group{targetGroupID: group},
-			Policies: []*types.Policy{{
-				ID:      "p",
-				Enabled: true,
-				Rules:   []*types.PolicyRule{rule},
-			}},
-		}, peer
-	}
-
-	cases := []struct {
-		name        string
-		peerSSH     bool
-		rule        types.PolicyRule
-		wantEnabled bool
-	}{
-		{
-			name:    "explicit-netbird-ssh-activates-regardless-of-peer-ssh",
-			peerSSH: false,
-			rule: types.PolicyRule{
-				Enabled: true, Protocol: types.PolicyRuleProtocolNetbirdSSH,
-				Destinations: []string{targetGroupID},
-			},
-			wantEnabled: true,
-		},
-		{
-			name:    "implicit-tcp-22-with-peer-ssh",
-			peerSSH: true,
-			rule: types.PolicyRule{
-				Enabled: true, Protocol: types.PolicyRuleProtocolTCP, Ports: []string{"22"},
-				Destinations: []string{targetGroupID},
-			},
-			wantEnabled: true,
-		},
-		{
-			name:    "implicit-tcp-22-without-peer-ssh-disabled",
-			peerSSH: false,
-			rule: types.PolicyRule{
-				Enabled: true, Protocol: types.PolicyRuleProtocolTCP, Ports: []string{"22"},
-				Destinations: []string{targetGroupID},
-			},
-			wantEnabled: false,
-		},
-		{
-			name:    "implicit-tcp-22022-with-peer-ssh",
-			peerSSH: true,
-			rule: types.PolicyRule{
-				Enabled: true, Protocol: types.PolicyRuleProtocolTCP, Ports: []string{"22022"},
-				Destinations: []string{targetGroupID},
-			},
-			wantEnabled: true,
-		},
-		{
-			name:    "implicit-all-protocol-with-peer-ssh",
-			peerSSH: true,
-			rule: types.PolicyRule{
-				Enabled: true, Protocol: types.PolicyRuleProtocolALL,
-				Destinations: []string{targetGroupID},
-			},
-			wantEnabled: true,
-		},
-		{
-			name:    "implicit-port-range-covers-22",
-			peerSSH: true,
-			rule: types.PolicyRule{
-				Enabled:      true,
-				Protocol:     types.PolicyRuleProtocolTCP,
-				PortRanges:   []types.RulePortRange{{Start: 20, End: 30}},
-				Destinations: []string{targetGroupID},
-			},
-			wantEnabled: true,
-		},
-		{
-			name:    "tcp-80-no-ssh",
-			peerSSH: true,
-			rule: types.PolicyRule{
-				Enabled: true, Protocol: types.PolicyRuleProtocolTCP, Ports: []string{"80"},
-				Destinations: []string{targetGroupID},
-			},
-			wantEnabled: false,
-		},
-		{
-			name:    "disabled-rule-skipped",
-			peerSSH: true,
-			rule: types.PolicyRule{
-				Enabled: false, Protocol: types.PolicyRuleProtocolNetbirdSSH,
-				Destinations: []string{targetGroupID},
-			},
-			wantEnabled: false,
-		},
-		{
-			name:    "peer-not-in-destinations",
-			peerSSH: true,
-			rule: types.PolicyRule{
-				Enabled: true, Protocol: types.PolicyRuleProtocolNetbirdSSH,
-				Destinations: []string{"g_other"}, // target not in this group
-			},
-			wantEnabled: false,
-		},
-		{
-			name:    "peer-typed-destination-resource-matches",
-			peerSSH: false,
-			rule: types.PolicyRule{
-				Enabled:             true,
-				Protocol:            types.PolicyRuleProtocolNetbirdSSH,
-				DestinationResource: types.Resource{ID: targetPeerID, Type: types.ResourceTypePeer},
-			},
-			wantEnabled: true,
-		},
-		{
-			name:    "non-peer-destination-resource-falls-through-to-groups",
-			peerSSH: false,
-			rule: types.PolicyRule{
-				Enabled:             true,
-				Protocol:            types.PolicyRuleProtocolNetbirdSSH,
-				DestinationResource: types.Resource{ID: targetPeerID, Type: "host"}, // wrong type
-				Destinations:        []string{targetGroupID},                        // saved by group fallback
-			},
-			wantEnabled: true,
-		},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			c, peer := mkComponents(&tc.rule, tc.peerSSH)
-			got := computeSSHEnabledForPeer(c, peer)
-			assert.Equal(t, tc.wantEnabled, got)
-		})
-	}
-}
-
-// TestComputeSSHEnabledForPeer_TargetMissingFromComponents covers the
-// belt-and-suspenders presence guard mirroring Calculate's
-// getAllPeersFromGroups invariant.
-func TestComputeSSHEnabledForPeer_TargetMissingFromComponents(t *testing.T) {
-	peer := &nbpeer.Peer{ID: "missing", SSHEnabled: true}
-	c := &types.NetworkMapComponents{
-		Peers: map[string]*nbpeer.Peer{}, // target peer NOT present
-		Groups: map[string]*types.Group{
-			"g": {ID: "g", Peers: []string{"missing"}},
-		},
-		Policies: []*types.Policy{{
-			ID: "p", Enabled: true,
-			Rules: []*types.PolicyRule{{
-				Enabled: true, Protocol: types.PolicyRuleProtocolNetbirdSSH,
-				Destinations: []string{"g"},
-			}},
-		}},
-	}
-	assert.False(t, computeSSHEnabledForPeer(c, peer),
-		"missing target peer must short-circuit to false, not consult policies")
-}
-
-// TestComputeSSHEnabledForPeer_NilInputs guards the cheap nil-checks at
-// function entry — Calculate doesn't accept nil either, but the helper is
-// exported indirectly via ToComponentSyncResponse and may receive nil
-// components on graceful-degrade paths.
-func TestComputeSSHEnabledForPeer_NilInputs(t *testing.T) {
-	assert.False(t, computeSSHEnabledForPeer(nil, &nbpeer.Peer{ID: "x"}))
-	assert.False(t, computeSSHEnabledForPeer(&types.NetworkMapComponents{}, nil))
-}

management/internals/shared/grpc/conversion.go

@@ -10,20 +10,24 @@ import (
 
 	"github.com/hashicorp/go-version"
 	nbversion "github.com/netbirdio/netbird/version"
+	log "github.com/sirupsen/logrus"
+	goproto "google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	integrationsConfig "github.com/netbirdio/management-integrations/integrations/config"
 
 	"github.com/netbirdio/netbird/client/ssh/auth"
 
+	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller/cache"
 	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/management/networkmap"
+	nbroute "github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/shared/netiputil"
+	"github.com/netbirdio/netbird/shared/sshauth"
 )
 
 const (
@@ -155,8 +159,8 @@ func ToSyncResponse(ctx context.Context, config *nbconfig.Config, httpConfig *nb
 		PeerConfig: toPeerConfig(peer, networkMap.Network, dnsName, settings, httpConfig, deviceFlowConfig, networkMap.EnableSSH),
 		NetworkMap: &proto.NetworkMap{
 			Serial:     networkMap.Network.CurrentSerial(),
-			Routes:     networkmap.ToProtocolRoutes(networkMap.Routes),
-			DNSConfig:  networkmap.ToProtocolDNSConfig(networkMap.DNSConfig, dnsCache, dnsFwdPort),
+			Routes:     toProtocolRoutes(networkMap.Routes),
+			DNSConfig:  toProtocolDNSConfig(networkMap.DNSConfig, dnsCache, dnsFwdPort),
 			PeerConfig: toPeerConfig(peer, networkMap.Network, dnsName, settings, httpConfig, deviceFlowConfig, networkMap.EnableSSH),
 		},
 		Checks: toProtocolChecks(ctx, checks),
@@ -169,7 +173,7 @@ func ToSyncResponse(ctx context.Context, config *nbconfig.Config, httpConfig *nb
 	response.NetworkMap.PeerConfig = response.PeerConfig
 
 	remotePeers := make([]*proto.RemotePeerConfig, 0, len(networkMap.Peers)+len(networkMap.OfflinePeers))
-	remotePeers = networkmap.AppendRemotePeerConfig(remotePeers, networkMap.Peers, dnsName, includeIPv6)
+	remotePeers = appendRemotePeerConfig(remotePeers, networkMap.Peers, dnsName, includeIPv6)
 
 	if !shouldSkipSendingDeprecatedRemotePeers(peer.Meta.WtVersion) {
 		response.RemotePeers = remotePeers
@@ -179,13 +183,13 @@ func ToSyncResponse(ctx context.Context, config *nbconfig.Config, httpConfig *nb
 	response.RemotePeersIsEmpty = len(remotePeers) == 0
 	response.NetworkMap.RemotePeersIsEmpty = response.RemotePeersIsEmpty
 
-	response.NetworkMap.OfflinePeers = networkmap.AppendRemotePeerConfig(nil, networkMap.OfflinePeers, dnsName, includeIPv6)
+	response.NetworkMap.OfflinePeers = appendRemotePeerConfig(nil, networkMap.OfflinePeers, dnsName, includeIPv6)
 
-	firewallRules := networkmap.ToProtocolFirewallRules(networkMap.FirewallRules, includeIPv6, useSourcePrefixes)
+	firewallRules := toProtocolFirewallRules(networkMap.FirewallRules, includeIPv6, useSourcePrefixes)
 	response.NetworkMap.FirewallRules = firewallRules
 	response.NetworkMap.FirewallRulesIsEmpty = len(firewallRules) == 0
 
-	routesFirewallRules := networkmap.ToProtocolRoutesFirewallRules(networkMap.RoutesFirewallRules)
+	routesFirewallRules := toProtocolRoutesFirewallRules(networkMap.RoutesFirewallRules)
 	response.NetworkMap.RoutesFirewallRules = routesFirewallRules
 	response.NetworkMap.RoutesFirewallRulesIsEmpty = len(routesFirewallRules) == 0
 
@@ -198,7 +202,7 @@ func ToSyncResponse(ctx context.Context, config *nbconfig.Config, httpConfig *nb
 	}
 
 	if networkMap.AuthorizedUsers != nil {
-		hashedUsers, machineUsers := networkmap.BuildAuthorizedUsersProto(ctx, networkMap.AuthorizedUsers)
+		hashedUsers, machineUsers := buildAuthorizedUsersProto(ctx, networkMap.AuthorizedUsers)
 		userIDClaim := auth.DefaultUserIDClaim
 		if httpConfig != nil && httpConfig.AuthUserIDClaim != "" {
 			userIDClaim = httpConfig.AuthUserIDClaim
@@ -238,6 +242,33 @@ func encodeSessionExpiresAt(deadline time.Time) *timestamppb.Timestamp {
 	return timestamppb.New(deadline)
 }
 
+func buildAuthorizedUsersProto(ctx context.Context, authorizedUsers map[string]map[string]struct{}) ([][]byte, map[string]*proto.MachineUserIndexes) {
+	userIDToIndex := make(map[string]uint32)
+	var hashedUsers [][]byte
+	machineUsers := make(map[string]*proto.MachineUserIndexes, len(authorizedUsers))
+
+	for machineUser, users := range authorizedUsers {
+		indexes := make([]uint32, 0, len(users))
+		for userID := range users {
+			idx, exists := userIDToIndex[userID]
+			if !exists {
+				hash, err := sshauth.HashUserID(userID)
+				if err != nil {
+					log.WithContext(ctx).Errorf("failed to hash user id %s: %v", userID, err)
+					continue
+				}
+				idx = uint32(len(hashedUsers))
+				userIDToIndex[userID] = idx
+				hashedUsers = append(hashedUsers, hash[:])
+			}
+			indexes = append(indexes, idx)
+		}
+		machineUsers[machineUser] = &proto.MachineUserIndexes{Indexes: indexes}
+	}
+
+	return hashedUsers, machineUsers
+}
+
 func shouldSkipSendingDeprecatedRemotePeers(peerVersion string) bool {
 	if nbversion.IsDevelopmentVersion(peerVersion) {
 		return true
@@ -251,6 +282,51 @@ func shouldSkipSendingDeprecatedRemotePeers(peerVersion string) bool {
 	return precomputedDeprecatedRemotePeersConstraint.Check(peerNBVersion)
 }
 
+func appendRemotePeerConfig(dst []*proto.RemotePeerConfig, peers []*nbpeer.Peer, dnsName string, includeIPv6 bool) []*proto.RemotePeerConfig {
+	for _, rPeer := range peers {
+		allowedIPs := []string{rPeer.IP.String() + "/32"}
+		if includeIPv6 && rPeer.IPv6.IsValid() {
+			allowedIPs = append(allowedIPs, rPeer.IPv6.String()+"/128")
+		}
+		dst = append(dst, &proto.RemotePeerConfig{
+			WgPubKey:     rPeer.Key,
+			AllowedIps:   allowedIPs,
+			SshConfig:    &proto.SSHConfig{SshPubKey: []byte(rPeer.SSHKey)},
+			Fqdn:         rPeer.FQDN(dnsName),
+			AgentVersion: rPeer.Meta.WtVersion,
+		})
+	}
+	return dst
+}
+
+// toProtocolDNSConfig converts nbdns.Config to proto.DNSConfig using the cache
+func toProtocolDNSConfig(update nbdns.Config, cache *cache.DNSConfigCache, forwardPort int64) *proto.DNSConfig {
+	protoUpdate := &proto.DNSConfig{
+		ServiceEnable:    update.ServiceEnable,
+		CustomZones:      make([]*proto.CustomZone, 0, len(update.CustomZones)),
+		NameServerGroups: make([]*proto.NameServerGroup, 0, len(update.NameServerGroups)),
+		ForwarderPort:    forwardPort,
+	}
+
+	for _, zone := range update.CustomZones {
+		protoZone := convertToProtoCustomZone(zone)
+		protoUpdate.CustomZones = append(protoUpdate.CustomZones, protoZone)
+	}
+
+	for _, nsGroup := range update.NameServerGroups {
+		cacheKey := nsGroup.ID
+		if cachedGroup, exists := cache.GetNameServerGroup(cacheKey); exists {
+			protoUpdate.NameServerGroups = append(protoUpdate.NameServerGroups, cachedGroup)
+		} else {
+			protoGroup := convertToProtoNameServerGroup(nsGroup)
+			cache.SetNameServerGroup(cacheKey, protoGroup)
+			protoUpdate.NameServerGroups = append(protoUpdate.NameServerGroups, protoGroup)
+		}
+	}
+
+	return protoUpdate
+}
+
 func ToResponseProto(configProto nbconfig.Protocol) proto.HostConfig_Protocol {
 	switch configProto {
 	case nbconfig.UDP:
@@ -268,6 +344,203 @@ func ToResponseProto(configProto nbconfig.Protocol) proto.HostConfig_Protocol {
 	}
 }
 
+func toProtocolRoutes(routes []*nbroute.Route) []*proto.Route {
+	protoRoutes := make([]*proto.Route, 0, len(routes))
+	for _, r := range routes {
+		protoRoutes = append(protoRoutes, toProtocolRoute(r))
+	}
+	return protoRoutes
+}
+
+func toProtocolRoute(route *nbroute.Route) *proto.Route {
+	return &proto.Route{
+		ID:            string(route.ID),
+		NetID:         string(route.NetID),
+		Network:       route.Network.String(),
+		Domains:       route.Domains.ToPunycodeList(),
+		NetworkType:   int64(route.NetworkType),
+		Peer:          route.Peer,
+		Metric:        int64(route.Metric),
+		Masquerade:    route.Masquerade,
+		KeepRoute:     route.KeepRoute,
+		SkipAutoApply: route.SkipAutoApply,
+	}
+}
+
+// toProtocolFirewallRules converts the firewall rules to the protocol firewall rules.
+// When useSourcePrefixes is true, the compact SourcePrefixes field is populated
+// alongside the deprecated PeerIP for forward compatibility.
+// Wildcard rules ("0.0.0.0") are expanded into separate v4 and v6 SourcePrefixes
+// when includeIPv6 is true.
+func toProtocolFirewallRules(rules []*types.FirewallRule, includeIPv6, useSourcePrefixes bool) []*proto.FirewallRule {
+	result := make([]*proto.FirewallRule, 0, len(rules))
+	for i := range rules {
+		rule := rules[i]
+
+		fwRule := &proto.FirewallRule{
+			PolicyID:  []byte(rule.PolicyID),
+			PeerIP:    rule.PeerIP, //nolint:staticcheck // populated for backward compatibility
+			Direction: getProtoDirection(rule.Direction),
+			Action:    getProtoAction(rule.Action),
+			Protocol:  getProtoProtocol(rule.Protocol),
+			Port:      rule.Port,
+		}
+
+		if useSourcePrefixes && rule.PeerIP != "" {
+			result = append(result, populateSourcePrefixes(fwRule, rule, includeIPv6)...)
+		}
+
+		if shouldUsePortRange(fwRule) {
+			fwRule.PortInfo = rule.PortRange.ToProto()
+		}
+
+		result = append(result, fwRule)
+	}
+	return result
+}
+
+// populateSourcePrefixes sets SourcePrefixes on fwRule and returns any
+// additional rules needed (e.g. a v6 wildcard clone when the peer IP is unspecified).
+func populateSourcePrefixes(fwRule *proto.FirewallRule, rule *types.FirewallRule, includeIPv6 bool) []*proto.FirewallRule {
+	addr, err := netip.ParseAddr(rule.PeerIP)
+	if err != nil {
+		return nil
+	}
+
+	if !addr.IsUnspecified() {
+		fwRule.SourcePrefixes = [][]byte{netiputil.EncodeAddr(addr.Unmap())}
+		return nil
+	}
+
+	// IPv4Unspecified/0 is always valid, error is impossible.
+	v4Wildcard, _ := netiputil.EncodePrefix(netip.PrefixFrom(netip.IPv4Unspecified(), 0))
+	fwRule.SourcePrefixes = [][]byte{v4Wildcard}
+
+	if !includeIPv6 {
+		return nil
+	}
+
+	v6Rule := goproto.Clone(fwRule).(*proto.FirewallRule)
+	v6Rule.PeerIP = "::" //nolint:staticcheck // populated for backward compatibility
+	// IPv6Unspecified/0 is always valid, error is impossible.
+	v6Wildcard, _ := netiputil.EncodePrefix(netip.PrefixFrom(netip.IPv6Unspecified(), 0))
+	v6Rule.SourcePrefixes = [][]byte{v6Wildcard}
+	if shouldUsePortRange(v6Rule) {
+		v6Rule.PortInfo = rule.PortRange.ToProto()
+	}
+	return []*proto.FirewallRule{v6Rule}
+}
+
+// getProtoDirection converts the direction to proto.RuleDirection.
+func getProtoDirection(direction int) proto.RuleDirection {
+	if direction == types.FirewallRuleDirectionOUT {
+		return proto.RuleDirection_OUT
+	}
+	return proto.RuleDirection_IN
+}
+
+func toProtocolRoutesFirewallRules(rules []*types.RouteFirewallRule) []*proto.RouteFirewallRule {
+	result := make([]*proto.RouteFirewallRule, len(rules))
+	for i := range rules {
+		rule := rules[i]
+		result[i] = &proto.RouteFirewallRule{
+			SourceRanges: rule.SourceRanges,
+			Action:       getProtoAction(rule.Action),
+			Destination:  rule.Destination,
+			Protocol:     getProtoProtocol(rule.Protocol),
+			PortInfo:     getProtoPortInfo(rule),
+			IsDynamic:    rule.IsDynamic,
+			Domains:      rule.Domains.ToPunycodeList(),
+			PolicyID:     []byte(rule.PolicyID),
+			RouteID:      string(rule.RouteID),
+		}
+	}
+
+	return result
+}
+
+// getProtoAction converts the action to proto.RuleAction.
+func getProtoAction(action string) proto.RuleAction {
+	if action == string(types.PolicyTrafficActionDrop) {
+		return proto.RuleAction_DROP
+	}
+	return proto.RuleAction_ACCEPT
+}
+
+// getProtoProtocol converts the protocol to proto.RuleProtocol.
+func getProtoProtocol(protocol string) proto.RuleProtocol {
+	switch types.PolicyRuleProtocolType(protocol) {
+	case types.PolicyRuleProtocolALL:
+		return proto.RuleProtocol_ALL
+	case types.PolicyRuleProtocolTCP:
+		return proto.RuleProtocol_TCP
+	case types.PolicyRuleProtocolUDP:
+		return proto.RuleProtocol_UDP
+	case types.PolicyRuleProtocolICMP:
+		return proto.RuleProtocol_ICMP
+	default:
+		return proto.RuleProtocol_UNKNOWN
+	}
+}
+
+// getProtoPortInfo converts the port info to proto.PortInfo.
+func getProtoPortInfo(rule *types.RouteFirewallRule) *proto.PortInfo {
+	var portInfo proto.PortInfo
+	if rule.Port != 0 {
+		portInfo.PortSelection = &proto.PortInfo_Port{Port: uint32(rule.Port)}
+	} else if portRange := rule.PortRange; portRange.Start != 0 && portRange.End != 0 {
+		portInfo.PortSelection = &proto.PortInfo_Range_{
+			Range: &proto.PortInfo_Range{
+				Start: uint32(portRange.Start),
+				End:   uint32(portRange.End),
+			},
+		}
+	}
+	return &portInfo
+}
+
+func shouldUsePortRange(rule *proto.FirewallRule) bool {
+	return rule.Port == "" && (rule.Protocol == proto.RuleProtocol_UDP || rule.Protocol == proto.RuleProtocol_TCP)
+}
+
+// Helper function to convert nbdns.CustomZone to proto.CustomZone
+func convertToProtoCustomZone(zone nbdns.CustomZone) *proto.CustomZone {
+	protoZone := &proto.CustomZone{
+		Domain:               zone.Domain,
+		Records:              make([]*proto.SimpleRecord, 0, len(zone.Records)),
+		SearchDomainDisabled: zone.SearchDomainDisabled,
+		NonAuthoritative:     zone.NonAuthoritative,
+	}
+	for _, record := range zone.Records {
+		protoZone.Records = append(protoZone.Records, &proto.SimpleRecord{
+			Name:  record.Name,
+			Type:  int64(record.Type),
+			Class: record.Class,
+			TTL:   int64(record.TTL),
+			RData: record.RData,
+		})
+	}
+	return protoZone
+}
+
+// Helper function to convert nbdns.NameServerGroup to proto.NameServerGroup
+func convertToProtoNameServerGroup(nsGroup *nbdns.NameServerGroup) *proto.NameServerGroup {
+	protoGroup := &proto.NameServerGroup{
+		Primary:              nsGroup.Primary,
+		Domains:              nsGroup.Domains,
+		SearchDomainsEnabled: nsGroup.SearchDomainsEnabled,
+		NameServers:          make([]*proto.NameServer, 0, len(nsGroup.NameServers)),
+	}
+	for _, ns := range nsGroup.NameServers {
+		protoGroup.NameServers = append(protoGroup.NameServers, &proto.NameServer{
+			IP:     ns.IP.String(),
+			Port:   int64(ns.Port),
+			NSType: int64(ns.NSType),
+		})
+	}
+	return protoGroup
+}
+
 // buildJWTConfig constructs JWT configuration for SSH servers from management server config
 func buildJWTConfig(config *nbconfig.HttpServerConfig, deviceFlowConfig *nbconfig.DeviceAuthorizationFlow) *proto.JWTConfig {
 	if config == nil || config.AuthAudience == "" {

management/internals/shared/grpc/conversion_test.go

@@ -13,7 +13,6 @@ import (
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller/cache"
 	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
-	"github.com/netbirdio/netbird/shared/management/networkmap"
 )
 
 func TestToProtocolDNSConfigWithCache(t *testing.T) {
@@ -63,13 +62,13 @@ func TestToProtocolDNSConfigWithCache(t *testing.T) {
 	}
 
 	// First run with config1
-	result1 := networkmap.ToProtocolDNSConfig(config1, &cache, int64(network_map.DnsForwarderPort))
+	result1 := toProtocolDNSConfig(config1, &cache, int64(network_map.DnsForwarderPort))
 
 	// Second run with config2
-	result2 := networkmap.ToProtocolDNSConfig(config2, &cache, int64(network_map.DnsForwarderPort))
+	result2 := toProtocolDNSConfig(config2, &cache, int64(network_map.DnsForwarderPort))
 
 	// Third run with config1 again
-	result3 := networkmap.ToProtocolDNSConfig(config1, &cache, int64(network_map.DnsForwarderPort))
+	result3 := toProtocolDNSConfig(config1, &cache, int64(network_map.DnsForwarderPort))
 
 	// Verify that result1 and result3 are identical
 	if !reflect.DeepEqual(result1, result3) {
@@ -101,7 +100,7 @@ func BenchmarkToProtocolDNSConfig(b *testing.B) {
 
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
-				networkmap.ToProtocolDNSConfig(testData, cache, int64(network_map.DnsForwarderPort))
+				toProtocolDNSConfig(testData, cache, int64(network_map.DnsForwarderPort))
 			}
 		})
 
@@ -109,7 +108,7 @@ func BenchmarkToProtocolDNSConfig(b *testing.B) {
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
 				cache := &cache.DNSConfigCache{}
-				networkmap.ToProtocolDNSConfig(testData, cache, int64(network_map.DnsForwarderPort))
+				toProtocolDNSConfig(testData, cache, int64(network_map.DnsForwarderPort))
 			}
 		})
 	}

management/internals/shared/grpc/server.go

@@ -1012,31 +1012,7 @@ func (s *Server) sendInitialSync(ctx context.Context, peerKey wgtypes.Key, peer
 		return status.Errorf(codes.Internal, "failed to get peer groups %s", err)
 	}
 
-	dnsName := s.networkMapController.GetDNSDomain(settings)
-
-	var plainResp *proto.SyncResponse
-	if s.networkMapController.PeerNeedsComponents(peer) {
-		// Capable peer: discard the legacy NetworkMap that SyncAndMarkPeer
-		// computed and recompute the raw components instead. This wastes one
-		// Calculate() call per initial-sync — the component-based wire
-		// format is what the peer actually consumes. The streaming path
-		// (network_map.Controller.UpdateAccountPeers) skips this duplication
-		// because it dispatches by capability before computing.
-		//
-		// TODO: refactor SyncPeer / SyncAndMarkPeer / their mocks + manager
-		// interfaces to return PeerNetworkMapResult so the initial-sync path
-		// stops doing duplicate work. Deferred until the client-side
-		// decoder lands and there's a real deployment of capability=3 peers
-		// worth optimizing for.
-		_, components, proxyPatch, _, _, err := s.networkMapController.GetValidatedPeerWithComponents(ctx, false, peer.AccountID, peer)
-		if err != nil {
-			log.WithContext(ctx).Errorf("failed to build components for peer %s on initial sync: %v", peer.ID, err)
-			return status.Errorf(codes.Internal, "failed to build initial sync envelope")
-		}
-		plainResp = ToComponentSyncResponse(ctx, s.config, s.config.HttpConfig, s.config.DeviceAuthorizationFlow, peer, turnToken, relayToken, components, proxyPatch, dnsName, postureChecks, settings, settings.Extra, peerGroups, dnsFwdPort)
-	} else {
-		plainResp = ToSyncResponse(ctx, s.config, s.config.HttpConfig, s.config.DeviceAuthorizationFlow, peer, turnToken, relayToken, networkMap, dnsName, postureChecks, nil, settings, settings.Extra, peerGroups, dnsFwdPort)
-	}
+	plainResp := ToSyncResponse(ctx, s.config, s.config.HttpConfig, s.config.DeviceAuthorizationFlow, peer, turnToken, relayToken, networkMap, s.networkMapController.GetDNSDomain(settings), postureChecks, nil, settings, settings.Extra, peerGroups, dnsFwdPort)
 
 	key, err := s.secretsManager.GetWGKey()
 	if err != nil {

management/server/account.go

@@ -1636,14 +1636,6 @@ func (am *DefaultAccountManager) SyncUserJWTGroups(ctx context.Context, userAuth
 			return nil
 		}
 
-		for _, g := range newGroupsToCreate {
-			seq, err := transaction.AllocateAccountSeqID(ctx, userAuth.AccountId, types.AccountSeqEntityGroup)
-			if err != nil {
-				return fmt.Errorf("error allocating group seq id: %w", err)
-			}
-			g.AccountSeqID = seq
-		}
-
 		if err = transaction.CreateGroups(ctx, userAuth.AccountId, newGroupsToCreate); err != nil {
 			return fmt.Errorf("error saving groups: %w", err)
 		}

management/server/account_test.go

@@ -3059,16 +3059,6 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 		user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthNone, "user2")
 		assert.NoError(t, err, "unable to get user")
 		assert.Len(t, user.AutoGroups, 1, "new group should be added")
-
-		var newJWTGroup *types.Group
-		for _, g := range groups {
-			if g.Name == "group3" {
-				newJWTGroup = g
-				break
-			}
-		}
-		require.NotNil(t, newJWTGroup, "JIT-created JWT group not found")
-		assert.NotZero(t, newJWTGroup.AccountSeqID, "JIT-created JWT group must have a non-zero AccountSeqID")
 	})
 
 	t.Run("remove all JWT groups when list is empty", func(t *testing.T) {

management/server/group.go

@@ -93,12 +93,6 @@ func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, use
 		events := am.prepareGroupEvents(ctx, transaction, accountID, userID, newGroup)
 		eventsToStore = append(eventsToStore, events...)
 
-		seq, err := transaction.AllocateAccountSeqID(ctx, accountID, types.AccountSeqEntityGroup)
-		if err != nil {
-			return status.Errorf(status.Internal, "failed to allocate group seq id: %v", err)
-		}
-		newGroup.AccountSeqID = seq
-
 		if err := transaction.CreateGroup(ctx, newGroup); err != nil {
 			return status.Errorf(status.Internal, "failed to create group: %v", err)
 		}
@@ -164,8 +158,6 @@ func (am *DefaultAccountManager) UpdateGroup(ctx context.Context, accountID, use
 			return err
 		}
 
-		newGroup.AccountSeqID = oldGroup.AccountSeqID
-
 		if err = transaction.UpdateGroup(ctx, newGroup); err != nil {
 			return err
 		}
@@ -244,12 +236,6 @@ func (am *DefaultAccountManager) CreateGroups(ctx context.Context, accountID, us
 
 			newGroup.AccountID = accountID
 
-			seq, err := transaction.AllocateAccountSeqID(ctx, accountID, types.AccountSeqEntityGroup)
-			if err != nil {
-				return err
-			}
-			newGroup.AccountSeqID = seq
-
 			if err = transaction.CreateGroup(ctx, newGroup); err != nil {
 				return err
 			}
@@ -341,12 +327,6 @@ func (am *DefaultAccountManager) updateSingleGroup(ctx context.Context, accountI
 
 		newGroup.AccountID = accountID
 
-		oldGroup, err := transaction.GetGroupByID(ctx, store.LockingStrengthNone, accountID, newGroup.ID)
-		if err != nil {
-			return err
-		}
-		newGroup.AccountSeqID = oldGroup.AccountSeqID
-
 		if err := transaction.UpdateGroup(ctx, newGroup); err != nil {
 			return err
 		}
@@ -361,6 +341,7 @@ func (am *DefaultAccountManager) updateSingleGroup(ctx context.Context, accountI
 
 		events = am.prepareGroupEvents(ctx, transaction, accountID, userID, newGroup)
 
+		var err error
 		snap, err = affectedpeers.Load(ctx, transaction, accountID, change)
 		return err
 	})

management/server/migration/account_seq.go

@@ -1,156 +0,0 @@
-package migration
-
-import (
-	"context"
-	"fmt"
-
-	log "github.com/sirupsen/logrus"
-	"gorm.io/gorm"
-
-	"github.com/netbirdio/netbird/management/server/types"
-)
-
-// BackfillAccountSeqIDs assigns a deterministic per-account sequential id to all
-// rows of `model` whose account_seq_id is zero, then seeds account_seq_counters
-// with the next free id per account. Idempotent: safe to re-run; both steps
-// no-op once everything is consistent.
-//
-// Implemented as two table-wide SQL statements with window functions, one
-// transaction. Backfilling 246k rows across 154k accounts on Postgres takes
-// well under a second instead of the per-account-loop ~2 minutes.
-//
-// orderColumn is the column to use when assigning the deterministic ordering
-// (typically the primary-key string id).
-func BackfillAccountSeqIDs[T any](
-	ctx context.Context,
-	db *gorm.DB,
-	entity types.AccountSeqEntity,
-	orderColumn string,
-) error {
-	var model T
-	if !db.Migrator().HasTable(&model) {
-		log.WithContext(ctx).Debugf("backfill seq id: table for %T missing, skip", model)
-		return nil
-	}
-
-	stmt := &gorm.Statement{DB: db}
-	if err := stmt.Parse(&model); err != nil {
-		return fmt.Errorf("parse model: %w", err)
-	}
-	table := quoteIdent(db, stmt.Schema.Table)
-	orderCol := quoteIdent(db, orderColumn)
-
-	return db.Transaction(func(tx *gorm.DB) error {
-		var pending int64
-		if err := tx.Raw(
-			fmt.Sprintf("SELECT count(*) FROM %s WHERE account_seq_id IS NULL OR account_seq_id = 0", table),
-		).Scan(&pending).Error; err != nil {
-			return fmt.Errorf("count pending on %s: %w", table, err)
-		}
-
-		if pending > 0 {
-			log.WithContext(ctx).Infof("backfill seq id: %s — %d rows pending", table, pending)
-			if err := backfillRankSQL(tx, table, orderCol); err != nil {
-				return fmt.Errorf("rank %s: %w", table, err)
-			}
-		}
-
-		if err := seedCountersSQL(tx, table, entity); err != nil {
-			return fmt.Errorf("seed counters for %s: %w", entity, err)
-		}
-		return nil
-	})
-}
-
-func quoteIdent(db *gorm.DB, name string) string {
-	switch db.Dialector.Name() {
-	case "mysql":
-		return "`" + name + "`"
-	case "postgres":
-		return `"` + name + `"`
-	default:
-		return name
-	}
-}
-
-func backfillRankSQL(db *gorm.DB, table, orderCol string) error {
-	dialect := db.Dialector.Name()
-	var sql string
-	switch dialect {
-	case "postgres", "sqlite":
-		sql = fmt.Sprintf(`
-WITH max_seq AS (
-    SELECT account_id, COALESCE(MAX(account_seq_id), 0) AS max_seq
-    FROM %s
-    GROUP BY account_id
-),
-ranked AS (
-    SELECT p.id,
-           m.max_seq + ROW_NUMBER() OVER (PARTITION BY p.account_id ORDER BY p.%s) AS new_seq
-    FROM %s p
-    JOIN max_seq m ON p.account_id = m.account_id
-    WHERE p.account_seq_id IS NULL OR p.account_seq_id = 0
-)
-UPDATE %s SET account_seq_id = ranked.new_seq
-FROM ranked
-WHERE %s.id = ranked.id
-`, table, orderCol, table, table, table)
-	case "mysql":
-		sql = fmt.Sprintf(`
-UPDATE %s p
-JOIN (
-    SELECT account_id, COALESCE(MAX(account_seq_id), 0) AS max_seq
-    FROM %s
-    GROUP BY account_id
-) m ON p.account_id = m.account_id
-JOIN (
-    SELECT id, ROW_NUMBER() OVER (PARTITION BY account_id ORDER BY %s) AS rn
-    FROM %s
-    WHERE account_seq_id IS NULL OR account_seq_id = 0
-) r ON p.id = r.id
-SET p.account_seq_id = m.max_seq + r.rn
-`, table, table, orderCol, table)
-	default:
-		return fmt.Errorf("unsupported dialect: %s", dialect)
-	}
-	return db.Exec(sql).Error
-}
-
-func seedCountersSQL(db *gorm.DB, table string, entity types.AccountSeqEntity) error {
-	dialect := db.Dialector.Name()
-	var sql string
-	switch dialect {
-	case "postgres":
-		sql = fmt.Sprintf(`
-INSERT INTO account_seq_counters (account_id, entity, next_id)
-SELECT account_id, ?, MAX(account_seq_id) + 1
-FROM %s
-WHERE account_seq_id IS NOT NULL AND account_seq_id > 0
-GROUP BY account_id
-ON CONFLICT (account_id, entity) DO UPDATE
-    SET next_id = GREATEST(account_seq_counters.next_id, EXCLUDED.next_id)
-`, table)
-	case "sqlite":
-		sql = fmt.Sprintf(`
-INSERT INTO account_seq_counters (account_id, entity, next_id)
-SELECT account_id, ?, MAX(account_seq_id) + 1
-FROM %s
-WHERE account_seq_id IS NOT NULL AND account_seq_id > 0
-GROUP BY account_id
-ON CONFLICT (account_id, entity) DO UPDATE
-    SET next_id = max(account_seq_counters.next_id, excluded.next_id)
-`, table)
-	case "mysql":
-		sql = fmt.Sprintf(`
-INSERT INTO account_seq_counters (account_id, entity, next_id)
-SELECT account_id, ?, MAX(account_seq_id) + 1
-FROM %s
-WHERE account_seq_id IS NOT NULL AND account_seq_id > 0
-GROUP BY account_id
-ON DUPLICATE KEY UPDATE next_id = GREATEST(next_id, VALUES(next_id))
-`, table)
-	default:
-		return fmt.Errorf("unsupported dialect: %s", dialect)
-	}
-	return db.Exec(sql, string(entity)).Error
-}

management/server/nameserver.go

@@ -67,12 +67,6 @@ func (am *DefaultAccountManager) CreateNameServerGroup(ctx context.Context, acco
 			return err
 		}
 
-		seq, err := transaction.AllocateAccountSeqID(ctx, accountID, types.AccountSeqEntityNameserverGroup)
-		if err != nil {
-			return err
-		}
-		newNSGroup.AccountSeqID = seq
-
 		if err = transaction.SaveNameServerGroup(ctx, newNSGroup); err != nil {
 			return err
 		}
@@ -122,8 +116,6 @@ func (am *DefaultAccountManager) SaveNameServerGroup(ctx context.Context, accoun
 			return err
 		}
 
-		nsGroupToSave.AccountSeqID = oldNSGroup.AccountSeqID
-
 		if err = transaction.SaveNameServerGroup(ctx, nsGroupToSave); err != nil {
 			return err
 		}

management/server/networks/manager.go

@@ -16,7 +16,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
-	serverTypes "github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/status"
 )
 
@@ -72,20 +71,9 @@ func (m *managerImpl) CreateNetwork(ctx context.Context, userID string, network
 
 	network.ID = xid.New().String()
 
-	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		seq, err := transaction.AllocateAccountSeqID(ctx, network.AccountID, serverTypes.AccountSeqEntityNetwork)
-		if err != nil {
-			return fmt.Errorf("failed to allocate network seq id: %w", err)
-		}
-		network.AccountSeqID = seq
-
-		if err := transaction.SaveNetwork(ctx, network); err != nil {
-			return fmt.Errorf("failed to save network: %w", err)
-		}
-		return nil
-	})
+	err = m.store.SaveNetwork(ctx, network)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to save network: %w", err)
 	}
 
 	m.accountManager.StoreEvent(ctx, userID, network.ID, network.AccountID, activity.NetworkCreated, network.EventMeta())
@@ -114,25 +102,14 @@ func (m *managerImpl) UpdateNetwork(ctx context.Context, userID string, network
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		existing, err := transaction.GetNetworkByID(ctx, store.LockingStrengthUpdate, network.AccountID, network.ID)
-		if err != nil {
-			return fmt.Errorf("failed to get network: %w", err)
-		}
-		network.AccountSeqID = existing.AccountSeqID
-
-		if err := transaction.SaveNetwork(ctx, network); err != nil {
-			return fmt.Errorf("failed to save network: %w", err)
-		}
-		return nil
-	})
+	_, err = m.store.GetNetworkByID(ctx, store.LockingStrengthUpdate, network.AccountID, network.ID)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to get network: %w", err)
 	}
 
 	m.accountManager.StoreEvent(ctx, userID, network.ID, network.AccountID, activity.NetworkUpdated, network.EventMeta())
 
-	return network, nil
+	return network, m.store.SaveNetwork(ctx, network)
 }
 
 func (m *managerImpl) DeleteNetwork(ctx context.Context, accountID, userID, networkID string) error {

management/server/networks/manager_test.go

@@ -255,73 +255,3 @@ func Test_UpdateNetworkFailsWithPermissionDenied(t *testing.T) {
 	require.Error(t, err)
 	require.Nil(t, updatedNetwork)
 }
-
-// Test_CreateNetworkAllocatesSeqID verifies that CreateNetwork sets a
-// non-zero AccountSeqID on the persisted network (allocated through the
-// account_seq_counters table).
-func Test_CreateNetworkAllocatesSeqID(t *testing.T) {
-	ctx := context.Background()
-	const accountID = "testAccountId"
-	const userID = "testAdminId"
-
-	s, cleanUp, err := store.NewTestStoreFromSQL(ctx, "../testdata/networks.sql", t.TempDir())
-	require.NoError(t, err)
-	t.Cleanup(cleanUp)
-
-	am := mock_server.MockAccountManager{}
-	permissionsManager := permissions.NewManager(s)
-	groupsManager := groups.NewManagerMock()
-	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
-	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
-
-	created, err := manager.CreateNetwork(ctx, userID, &types.Network{
-		AccountID: accountID,
-		Name:      "seq-allocation-test",
-	})
-	require.NoError(t, err)
-	require.NotZero(t, created.AccountSeqID, "CreateNetwork must allocate a non-zero AccountSeqID")
-}
-
-// Test_UpdateNetworkPreservesSeqID verifies UpdateNetwork does not reset
-// AccountSeqID even when the caller passes a zero value (the shape REST
-// handlers produce because the field is `json:"-"`).
-func Test_UpdateNetworkPreservesSeqID(t *testing.T) {
-	ctx := context.Background()
-	const accountID = "testAccountId"
-	const userID = "testAdminId"
-
-	s, cleanUp, err := store.NewTestStoreFromSQL(ctx, "../testdata/networks.sql", t.TempDir())
-	require.NoError(t, err)
-	t.Cleanup(cleanUp)
-
-	am := mock_server.MockAccountManager{}
-	permissionsManager := permissions.NewManager(s)
-	groupsManager := groups.NewManagerMock()
-	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
-	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
-
-	created, err := manager.CreateNetwork(ctx, userID, &types.Network{
-		AccountID: accountID,
-		Name:      "seq-preserve-original",
-	})
-	require.NoError(t, err)
-	originalSeq := created.AccountSeqID
-	require.NotZero(t, originalSeq)
-
-	update := &types.Network{
-		AccountID: accountID,
-		ID:        created.ID,
-		Name:      "seq-preserve-renamed",
-	}
-	require.Zero(t, update.AccountSeqID, "incoming struct must mirror an HTTP handler shape")
-
-	_, err = manager.UpdateNetwork(ctx, userID, update)
-	require.NoError(t, err)
-
-	got, err := manager.GetNetwork(ctx, accountID, userID, created.ID)
-	require.NoError(t, err)
-	require.Equal(t, originalSeq, got.AccountSeqID, "AccountSeqID must survive UpdateNetwork")
-	require.Equal(t, "seq-preserve-renamed", got.Name)
-}

management/server/networks/resources/manager.go

@@ -146,12 +146,6 @@ func (m *managerImpl) createResourceInTransaction(ctx context.Context, transacti
 		return nil, nil, fmt.Errorf("failed to get network: %w", err)
 	}
 
-	seq, err := transaction.AllocateAccountSeqID(ctx, resource.AccountID, nbtypes.AccountSeqEntityNetworkResource)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to allocate network resource seq id: %w", err)
-	}
-	resource.AccountSeqID = seq
-
 	if err = transaction.SaveNetworkResource(ctx, resource); err != nil {
 		return nil, nil, fmt.Errorf("failed to save network resource: %w", err)
 	}
@@ -251,7 +245,6 @@ func (m *managerImpl) UpdateResource(ctx context.Context, userID string, resourc
 		if err != nil {
 			return fmt.Errorf("failed to get network resource: %w", err)
 		}
-		resource.AccountSeqID = oldResource.AccountSeqID
 
 		oldGroups, err := m.groupsManager.GetResourceGroupsInTransaction(ctx, transaction, store.LockingStrengthNone, resource.AccountID, resource.ID)
 		if err != nil {

management/server/networks/resources/types/resource.go

@@ -32,9 +32,6 @@ type NetworkResource struct {
 	ID          string `gorm:"primaryKey"`
 	NetworkID   string `gorm:"index"`
 	AccountID   string `gorm:"index"`
-	// AccountSeqID is a per-account monotonically increasing identifier used as the
-	// compact wire id when sending NetworkMap components to capable peers.
-	AccountSeqID uint32 `json:"-" gorm:"index:idx_network_resources_account_seq_id;not null;default:0"`
 	Name        string
 	Description string
 	Type        NetworkResourceType
@@ -96,18 +93,17 @@ func (n *NetworkResource) FromAPIRequest(req *api.NetworkResourceRequest) {
 
 func (n *NetworkResource) Copy() *NetworkResource {
 	return &NetworkResource{
-		ID:           n.ID,
-		AccountID:    n.AccountID,
-		NetworkID:    n.NetworkID,
-		AccountSeqID: n.AccountSeqID,
-		Name:         n.Name,
-		Description:  n.Description,
-		Type:         n.Type,
-		Address:      n.Address,
-		Domain:       n.Domain,
-		Prefix:       n.Prefix,
-		GroupIDs:     n.GroupIDs,
-		Enabled:      n.Enabled,
+		ID:          n.ID,
+		AccountID:   n.AccountID,
+		NetworkID:   n.NetworkID,
+		Name:        n.Name,
+		Description: n.Description,
+		Type:        n.Type,
+		Address:     n.Address,
+		Domain:      n.Domain,
+		Prefix:      n.Prefix,
+		GroupIDs:    n.GroupIDs,
+		Enabled:     n.Enabled,
 	}
 }
 

management/server/networks/routers/manager.go

@@ -16,7 +16,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
-	serverTypes "github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/status"
 )
 
@@ -105,12 +104,6 @@ func (m *managerImpl) CreateRouter(ctx context.Context, userID string, router *t
 
 		router.ID = xid.New().String()
 
-		seq, err := transaction.AllocateAccountSeqID(ctx, router.AccountID, serverTypes.AccountSeqEntityNetworkRouter)
-		if err != nil {
-			return fmt.Errorf("failed to allocate network router seq id: %w", err)
-		}
-		router.AccountSeqID = seq
-
 		err = transaction.CreateNetworkRouter(ctx, router)
 		if err != nil {
 			return fmt.Errorf("failed to create network router: %w", err)
@@ -206,11 +199,6 @@ func (m *managerImpl) updateRouterInTransaction(ctx context.Context, transaction
 		return nil, nil, affectedpeers.Change{}, status.NewRouterNotPartOfNetworkError(router.ID, router.NetworkID)
 	}
 
-	// Preserve AccountSeqID from the existing router so the upstream
-	// UpdateNetworkRouter (which does Updates(router) with Select("*"))
-	// doesn't clobber it with the request's zero value.
-	router.AccountSeqID = existing.AccountSeqID
-
 	if err = transaction.UpdateNetworkRouter(ctx, router); err != nil {
 		return nil, nil, affectedpeers.Change{}, fmt.Errorf("failed to update network router: %w", err)
 	}

management/server/networks/routers/types/router.go

@@ -13,9 +13,6 @@ type NetworkRouter struct {
 	ID         string `gorm:"primaryKey"`
 	NetworkID  string `gorm:"index"`
 	AccountID  string `gorm:"index"`
-	// AccountSeqID is a per-account monotonically increasing identifier used as the
-	// compact wire id when sending NetworkMap components to capable peers.
-	AccountSeqID uint32 `json:"-" gorm:"index:idx_network_routers_account_seq_id;not null;default:0"`
 	Peer       string
 	PeerGroups []string `gorm:"serializer:json"`
 	Masquerade bool
@@ -81,15 +78,14 @@ func (n *NetworkRouter) FromAPIRequest(req *api.NetworkRouterRequest) {
 
 func (n *NetworkRouter) Copy() *NetworkRouter {
 	return &NetworkRouter{
-		ID:           n.ID,
-		NetworkID:    n.NetworkID,
-		AccountID:    n.AccountID,
-		AccountSeqID: n.AccountSeqID,
-		Peer:         n.Peer,
-		PeerGroups:   n.PeerGroups,
-		Masquerade:   n.Masquerade,
-		Metric:       n.Metric,
-		Enabled:      n.Enabled,
+		ID:         n.ID,
+		NetworkID:  n.NetworkID,
+		AccountID:  n.AccountID,
+		Peer:       n.Peer,
+		PeerGroups: n.PeerGroups,
+		Masquerade: n.Masquerade,
+		Metric:     n.Metric,
+		Enabled:    n.Enabled,
 	}
 }
 

management/server/networks/types/network.go

@@ -7,24 +7,12 @@ import (
 )
 
 type Network struct {
-	ID        string `gorm:"primaryKey"`
-	AccountID string `gorm:"index"`
-
-	// AccountSeqID is a per-account monotonically increasing identifier used as the
-	// compact wire id when sending NetworkMap components to capable peers.
-	AccountSeqID uint32 `json:"-" gorm:"index:idx_networks_account_seq_id;not null;default:0"`
-
+	ID          string `gorm:"primaryKey"`
+	AccountID   string `gorm:"index"`
 	Name        string
 	Description string
 }
 
-// HasSeqID reports whether the network has been persisted long enough to have
-// a per-account sequence id allocated. Wire encoders that key off AccountSeqID
-// must skip networks that return false here.
-func (n *Network) HasSeqID() bool {
-	return n != nil && n.AccountSeqID != 0
-}
-
 func NewNetwork(accountId, name, description string) *Network {
 	return &Network{
 		ID:          xid.New().String(),
@@ -53,14 +41,13 @@ func (n *Network) FromAPIRequest(req *api.NetworkRequest) {
 	}
 }
 
-// Copy returns a copy of a network.
+// Copy returns a copy of a posture checks.
 func (n *Network) Copy() *Network {
 	return &Network{
-		ID:           n.ID,
-		AccountID:    n.AccountID,
-		AccountSeqID: n.AccountSeqID,
-		Name:         n.Name,
-		Description:  n.Description,
+		ID:          n.ID,
+		AccountID:   n.AccountID,
+		Name:        n.Name,
+		Description: n.Description,
 	}
 }
 

management/server/peer.go

@@ -1124,7 +1124,7 @@ func (am *DefaultAccountManager) LoginPeer(ctx context.Context, login types.Peer
 	}
 
 	var peer *nbpeer.Peer
-	var shouldStorePeer bool
+	var shouldStorePeer, shouldUpdatePeers bool
 	var peerGroupIDs []string
 
 	settings, err := am.Store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
@@ -1151,6 +1151,7 @@ func (am *DefaultAccountManager) LoginPeer(ctx context.Context, login types.Peer
 
 			if changed {
 				shouldStorePeer = true
+				shouldUpdatePeers = true
 			}
 		}
 
@@ -1174,13 +1175,16 @@ func (am *DefaultAccountManager) LoginPeer(ctx context.Context, login types.Peer
 			}
 		}
 
+		// This is needed to keep in memory for the peer config. Otherwise browser client will end in a retry loop
+		peer.UpdateMetaIfNew(login.Meta)
+
 		return nil
 	})
 	if err != nil {
 		return nil, nil, nil, false, err
 	}
 
-	isRequiresApproval, isStatusChanged, err := am.integratedPeerValidator.IsNotValidPeer(ctx, accountID, peer, peerGroupIDs, settings.Extra)
+	isRequiresApproval, _, err := am.integratedPeerValidator.IsNotValidPeer(ctx, accountID, peer, peerGroupIDs, settings.Extra)
 	if err != nil {
 		return nil, nil, nil, false, err
 	}
@@ -1190,7 +1194,7 @@ func (am *DefaultAccountManager) LoginPeer(ctx context.Context, login types.Peer
 		return nil, nil, nil, false, err
 	}
 
-	if isStatusChanged || shouldStorePeer {
+	if shouldUpdatePeers {
 		changedPeerIDs := []string{peer.ID}
 		affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
 		if err = am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs); err != nil {

management/server/peer/peer.go

@@ -13,9 +13,8 @@ import (
 
 // Peer capability constants mirror the proto enum values.
 const (
-	PeerCapabilitySourcePrefixes      int32 = 1
-	PeerCapabilityIPv6Overlay         int32 = 2
-	PeerCapabilityComponentNetworkMap int32 = 3
+	PeerCapabilitySourcePrefixes int32 = 1
+	PeerCapabilityIPv6Overlay    int32 = 2
 )
 
 // Peer represents a machine connected to the network.
@@ -248,14 +247,6 @@ func (p *Peer) SupportsSourcePrefixes() bool {
 	return p.HasCapability(PeerCapabilitySourcePrefixes)
 }
 
-// SupportsComponentNetworkMap reports whether the peer assembles its
-// NetworkMap from server-shipped components instead of consuming a fully
-// expanded NetworkMap. Determines whether the network_map controller skips
-// Calculate() server-side and emits the components envelope.
-func (p *Peer) SupportsComponentNetworkMap() bool {
-	return p.HasCapability(PeerCapabilityComponentNetworkMap)
-}
-
 func capabilitiesEqual(a, b []int32) bool {
 	if len(a) != len(b) {
 		return false

management/server/policy.go

@@ -67,18 +67,10 @@ func (am *DefaultAccountManager) SavePolicy(ctx context.Context, accountID, user
 
 			action = activity.PolicyUpdated
 
-			policy.AccountSeqID = existingPolicy.AccountSeqID
-
 			if err = transaction.SavePolicy(ctx, policy); err != nil {
 				return err
 			}
 		} else {
-			seq, err := transaction.AllocateAccountSeqID(ctx, accountID, types.AccountSeqEntityPolicy)
-			if err != nil {
-				return err
-			}
-			policy.AccountSeqID = seq
-
 			if err = transaction.CreatePolicy(ctx, policy); err != nil {
 				return err
 			}

management/server/posture/checks.go

@@ -47,21 +47,10 @@ type Checks struct {
 	// AccountID is a reference to the Account that this object belongs
 	AccountID string `json:"-" gorm:"index"`
 
-	// AccountSeqID is a per-account monotonically increasing identifier used as the
-	// compact wire id when sending NetworkMap components to capable peers.
-	AccountSeqID uint32 `json:"-" gorm:"index:idx_posture_checks_account_seq_id;not null;default:0"`
-
 	// Checks is a set of objects that perform the actual checks
 	Checks ChecksDefinition `gorm:"serializer:json"`
 }
 
-// HasSeqID reports whether the posture check has been persisted long enough
-// to have a per-account sequence id allocated. Wire encoders that key off
-// AccountSeqID must skip checks that return false here.
-func (pc *Checks) HasSeqID() bool {
-	return pc != nil && pc.AccountSeqID != 0
-}
-
 // ChecksDefinition contains definition of actual check
 type ChecksDefinition struct {
 	NBVersionCheck        *NBVersionCheck        `json:",omitempty"`
@@ -132,12 +121,11 @@ func (*Checks) TableName() string {
 // Copy returns a copy of a posture checks.
 func (pc *Checks) Copy() *Checks {
 	checks := &Checks{
-		ID:           pc.ID,
-		Name:         pc.Name,
-		Description:  pc.Description,
-		AccountID:    pc.AccountID,
-		AccountSeqID: pc.AccountSeqID,
-		Checks:       pc.Checks.Copy(),
+		ID:          pc.ID,
+		Name:        pc.Name,
+		Description: pc.Description,
+		AccountID:   pc.AccountID,
+		Checks:      pc.Checks.Copy(),
 	}
 	return checks
 }

management/server/posture_checks.go

@@ -12,7 +12,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/status"
 )
 
@@ -53,19 +52,7 @@ func (am *DefaultAccountManager) SavePostureChecks(ctx context.Context, accountI
 		}
 
 		if isUpdate {
-			existing, err := transaction.GetPostureChecksByID(ctx, store.LockingStrengthNone, accountID, postureChecks.ID)
-			if err != nil {
-				return err
-			}
-			postureChecks.AccountSeqID = existing.AccountSeqID
-
 			action = activity.PostureCheckUpdated
-		} else {
-			seq, err := transaction.AllocateAccountSeqID(ctx, accountID, types.AccountSeqEntityPostureCheck)
-			if err != nil {
-				return err
-			}
-			postureChecks.AccountSeqID = seq
 		}
 
 		postureChecks.AccountID = accountID

management/server/posture_checks_test.go

@@ -562,61 +562,3 @@ func TestArePostureCheckChangesAffectPeers(t *testing.T) {
 		assert.Empty(t, directPeerIDs)
 	})
 }
-
-// TestSavePostureChecks_AllocatesSeqIDOnCreate verifies that the create path
-// (no incoming ID) allocates a non-zero AccountSeqID via the
-// account_seq_counters table.
-func TestSavePostureChecks_AllocatesSeqIDOnCreate(t *testing.T) {
-	am, _, err := createManager(t)
-	require.NoError(t, err)
-
-	account, err := initTestPostureChecksAccount(am)
-	require.NoError(t, err)
-
-	created, err := am.SavePostureChecks(context.Background(), account.Id, adminUserID, &posture.Checks{
-		Name: "seq-allocation-test",
-		Checks: posture.ChecksDefinition{
-			NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.26.0"},
-		},
-	}, true)
-	require.NoError(t, err)
-	require.NotZero(t, created.AccountSeqID, "SavePostureChecks on create must allocate a non-zero AccountSeqID")
-}
-
-// TestSavePostureChecks_PreservesSeqIDOnUpdate verifies the update path does
-// not reset AccountSeqID even when the caller passes a zero value (REST
-// handler shape, because the field is `json:"-"`).
-func TestSavePostureChecks_PreservesSeqIDOnUpdate(t *testing.T) {
-	am, _, err := createManager(t)
-	require.NoError(t, err)
-
-	account, err := initTestPostureChecksAccount(am)
-	require.NoError(t, err)
-
-	created, err := am.SavePostureChecks(context.Background(), account.Id, adminUserID, &posture.Checks{
-		Name: "seq-preserve-original",
-		Checks: posture.ChecksDefinition{
-			NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.26.0"},
-		},
-	}, true)
-	require.NoError(t, err)
-	originalSeq := created.AccountSeqID
-	require.NotZero(t, originalSeq)
-
-	update := &posture.Checks{
-		ID:   created.ID,
-		Name: "seq-preserve-renamed",
-		Checks: posture.ChecksDefinition{
-			NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.27.0"},
-		},
-	}
-	require.Zero(t, update.AccountSeqID, "incoming struct must mirror an HTTP handler shape")
-
-	_, err = am.SavePostureChecks(context.Background(), account.Id, adminUserID, update, false)
-	require.NoError(t, err)
-
-	got, err := am.GetPostureChecks(context.Background(), account.Id, created.ID, adminUserID)
-	require.NoError(t, err)
-	require.Equal(t, originalSeq, got.AccountSeqID, "AccountSeqID must survive SavePostureChecks update")
-	require.Equal(t, "seq-preserve-renamed", got.Name)
-}

management/server/route.go

@@ -175,12 +175,6 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri
 			return err
 		}
 
-		seq, err := transaction.AllocateAccountSeqID(ctx, accountID, types.AccountSeqEntityRoute)
-		if err != nil {
-			return err
-		}
-		newRoute.AccountSeqID = seq
-
 		if err = transaction.SaveRoute(ctx, newRoute); err != nil {
 			return err
 		}
@@ -228,7 +222,6 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI
 		}
 
 		routeToSave.AccountID = accountID
-		routeToSave.AccountSeqID = oldRoute.AccountSeqID
 
 		if err = transaction.SaveRoute(ctx, routeToSave); err != nil {
 			return err

management/server/store/account_seq_test.go

@@ -1,506 +0,0 @@
-package store
-
-import (
-	"context"
-	"errors"
-	"net/netip"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
-	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
-	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
-	"github.com/netbirdio/netbird/management/server/posture"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/route"
-)
-
-var errRollback = errors.New("intentional rollback")
-
-func TestAllocateAccountSeqID_SequentialPerAccount(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	ctx := context.Background()
-	const accA = "acc-a"
-	const accB = "acc-b"
-
-	require.NoError(t, store.ExecuteInTransaction(ctx, func(tx Store) error {
-		got, err := tx.AllocateAccountSeqID(ctx, accA, types.AccountSeqEntityPolicy)
-		require.NoError(t, err)
-		require.Equal(t, uint32(1), got)
-
-		got, err = tx.AllocateAccountSeqID(ctx, accA, types.AccountSeqEntityPolicy)
-		require.NoError(t, err)
-		require.Equal(t, uint32(2), got)
-
-		got, err = tx.AllocateAccountSeqID(ctx, accB, types.AccountSeqEntityPolicy)
-		require.NoError(t, err)
-		require.Equal(t, uint32(1), got, "different account starts from 1")
-
-		got, err = tx.AllocateAccountSeqID(ctx, accA, types.AccountSeqEntityGroup)
-		require.NoError(t, err)
-		require.Equal(t, uint32(1), got, "different entity starts from 1")
-
-		return nil
-	}))
-
-	require.NoError(t, store.ExecuteInTransaction(ctx, func(tx Store) error {
-		got, err := tx.AllocateAccountSeqID(ctx, accA, types.AccountSeqEntityPolicy)
-		require.NoError(t, err)
-		require.Equal(t, uint32(3), got, "counter persists across transactions")
-		return nil
-	}))
-}
-
-func TestPolicyBackfill_AssignsSeqIDsToExistingPolicies(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	ctx := context.Background()
-	const accountID = "bf1c8084-ba50-4ce7-9439-34653001fc3b"
-
-	policies, err := store.GetAccountPolicies(ctx, LockingStrengthNone, accountID)
-	require.NoError(t, err)
-	require.NotEmpty(t, policies, "test fixture must have policies")
-
-	seen := make(map[uint32]bool)
-	for _, p := range policies {
-		require.NotZero(t, p.AccountSeqID, "policy %s must have a non-zero AccountSeqID after migration", p.ID)
-		require.False(t, seen[p.AccountSeqID], "duplicate AccountSeqID %d in account %s", p.AccountSeqID, accountID)
-		seen[p.AccountSeqID] = true
-	}
-}
-
-func TestPolicyUpdate_PreservesSeqID(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	ctx := context.Background()
-	const accountID = "bf1c8084-ba50-4ce7-9439-34653001fc3b"
-	const policyID = "cs1tnh0hhcjnqoiuebf0"
-
-	original, err := store.GetPolicyByID(ctx, LockingStrengthNone, accountID, policyID)
-	require.NoError(t, err)
-	originalSeq := original.AccountSeqID
-	require.NotZero(t, originalSeq, "fixture must have non-zero AccountSeqID after backfill")
-
-	updated := &types.Policy{
-		ID:        policyID,
-		AccountID: accountID,
-		Name:      "renamed",
-		Enabled:   false,
-		Rules:     original.Rules,
-	}
-	require.Zero(t, updated.AccountSeqID, "incoming struct should have zero AccountSeqID like an HTTP handler would")
-
-	require.NoError(t, store.SavePolicy(ctx, updated))
-
-	got, err := store.GetPolicyByID(ctx, LockingStrengthNone, accountID, policyID)
-	require.NoError(t, err)
-	require.Equal(t, originalSeq, got.AccountSeqID, "AccountSeqID must not be reset by update path")
-	require.Equal(t, "renamed", got.Name)
-}
-
-func TestGroupUpdate_PreservesSeqID(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	ctx := context.Background()
-	const accountID = "bf1c8084-ba50-4ce7-9439-34653001fc3b"
-
-	groups, err := store.GetAccountGroups(ctx, LockingStrengthNone, accountID)
-	require.NoError(t, err)
-	require.NotEmpty(t, groups)
-
-	original := groups[0]
-	originalSeq := original.AccountSeqID
-	require.NotZero(t, originalSeq)
-
-	updated := &types.Group{
-		ID:        original.ID,
-		AccountID: accountID,
-		Name:      "renamed",
-		Issued:    original.Issued,
-	}
-	require.Zero(t, updated.AccountSeqID)
-
-	require.NoError(t, store.UpdateGroup(ctx, updated))
-
-	got, err := store.GetGroupByID(ctx, LockingStrengthNone, accountID, original.ID)
-	require.NoError(t, err)
-	require.Equal(t, originalSeq, got.AccountSeqID, "AccountSeqID must not be reset by UpdateGroup")
-	require.Equal(t, "renamed", got.Name)
-}
-
-func TestSaveAccount_AllocatesSeqIDsForDefaultGroupAndPolicy(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	ctx := context.Background()
-	const accountID = "save-account-seqid-test"
-
-	account := &types.Account{
-		Id:          accountID,
-		CreatedBy:   "user1",
-		Domain:      "example.test",
-		DNSSettings: types.DNSSettings{},
-		Settings:    &types.Settings{},
-		Network: &types.Network{
-			Identifier: "net-test",
-		},
-		Users: map[string]*types.User{
-			"user1": {Id: "user1", AccountID: accountID, Role: types.UserRoleOwner},
-		},
-	}
-	require.NoError(t, account.AddAllGroup(false), "AddAllGroup should populate default Group + Policy")
-	require.Len(t, account.Groups, 1, "default 'All' group must be present")
-	require.Len(t, account.Policies, 1, "default policy must be present")
-
-	for _, g := range account.Groups {
-		require.Zero(t, g.AccountSeqID, "default group must start with seq=0")
-	}
-	require.Zero(t, account.Policies[0].AccountSeqID, "default policy must start with seq=0")
-
-	require.NoError(t, store.SaveAccount(ctx, account))
-
-	groups, err := store.GetAccountGroups(ctx, LockingStrengthNone, accountID)
-	require.NoError(t, err)
-	require.Len(t, groups, 1)
-	require.NotZerof(t, groups[0].AccountSeqID, "default group must have seq>0 after SaveAccount")
-
-	policies, err := store.GetAccountPolicies(ctx, LockingStrengthNone, accountID)
-	require.NoError(t, err)
-	require.Len(t, policies, 1)
-	require.NotZerof(t, policies[0].AccountSeqID, "default policy must have seq>0 after SaveAccount")
-
-	require.ErrorIs(t, store.ExecuteInTransaction(ctx, func(tx Store) error {
-		next, err := tx.AllocateAccountSeqID(ctx, accountID, types.AccountSeqEntityGroup)
-		require.NoError(t, err)
-		require.Equal(t, groups[0].AccountSeqID+1, next, "next group seq must be max+1")
-
-		next, err = tx.AllocateAccountSeqID(ctx, accountID, types.AccountSeqEntityPolicy)
-		require.NoError(t, err)
-		require.Equal(t, policies[0].AccountSeqID+1, next, "next policy seq must be max+1")
-		return errRollback
-	}), errRollback)
-}
-
-func TestSaveAccount_PreservesExistingSeqIDs(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	ctx := context.Background()
-	const accountID = "bf1c8084-ba50-4ce7-9439-34653001fc3b"
-
-	account, err := store.GetAccount(ctx, accountID)
-	require.NoError(t, err)
-
-	groupSeqs := make(map[string]uint32)
-	policySeqs := make(map[string]uint32)
-	routeSeqs := make(map[route.ID]uint32)
-	nsgSeqs := make(map[string]uint32)
-	resourceSeqs := make(map[string]uint32)
-	routerSeqs := make(map[string]uint32)
-	networkSeqs := make(map[string]uint32)
-
-	for _, g := range account.Groups {
-		require.NotZero(t, g.AccountSeqID, "fixture group must have seq>0 after backfill")
-		groupSeqs[g.ID] = g.AccountSeqID
-	}
-	for _, p := range account.Policies {
-		require.NotZero(t, p.AccountSeqID, "fixture policy must have seq>0")
-		policySeqs[p.ID] = p.AccountSeqID
-	}
-	for _, r := range account.Routes {
-		require.NotZero(t, r.AccountSeqID, "fixture route must have seq>0")
-		routeSeqs[r.ID] = r.AccountSeqID
-	}
-	for _, n := range account.NameServerGroups {
-		require.NotZero(t, n.AccountSeqID, "fixture name_server_group must have seq>0")
-		nsgSeqs[n.ID] = n.AccountSeqID
-	}
-	for _, nr := range account.NetworkResources {
-		require.NotZero(t, nr.AccountSeqID, "fixture network_resource must have seq>0")
-		resourceSeqs[nr.ID] = nr.AccountSeqID
-	}
-	for _, nr := range account.NetworkRouters {
-		require.NotZero(t, nr.AccountSeqID, "fixture network_router must have seq>0")
-		routerSeqs[nr.ID] = nr.AccountSeqID
-	}
-	for _, n := range account.Networks {
-		require.NotZero(t, n.AccountSeqID, "fixture network must have seq>0 after backfill")
-		networkSeqs[n.ID] = n.AccountSeqID
-	}
-
-	require.NoError(t, store.SaveAccount(ctx, account))
-
-	after, err := store.GetAccount(ctx, accountID)
-	require.NoError(t, err)
-	for _, g := range after.Groups {
-		require.Equal(t, groupSeqs[g.ID], g.AccountSeqID, "group %s seq must be preserved on re-save", g.ID)
-	}
-	for _, p := range after.Policies {
-		require.Equal(t, policySeqs[p.ID], p.AccountSeqID, "policy %s seq must be preserved", p.ID)
-	}
-	for _, r := range after.Routes {
-		require.Equal(t, routeSeqs[r.ID], r.AccountSeqID, "route %s seq must be preserved (slice-of-value addressability)", r.ID)
-	}
-	for _, n := range after.NameServerGroups {
-		require.Equal(t, nsgSeqs[n.ID], n.AccountSeqID, "name_server_group %s seq must be preserved (slice-of-value addressability)", n.ID)
-	}
-	for _, nr := range after.NetworkResources {
-		require.Equal(t, resourceSeqs[nr.ID], nr.AccountSeqID, "network_resource %s seq must be preserved", nr.ID)
-	}
-	for _, nr := range after.NetworkRouters {
-		require.Equal(t, routerSeqs[nr.ID], nr.AccountSeqID, "network_router %s seq must be preserved", nr.ID)
-	}
-	for _, n := range after.Networks {
-		require.Equal(t, networkSeqs[n.ID], n.AccountSeqID, "network %s seq must be preserved", n.ID)
-	}
-}
-
-func TestSaveAccount_AllocatesSeqIDsForAllEntityTypes(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	ctx := context.Background()
-	const accountID = "save-account-all-entities"
-
-	addr, err := netip.ParseAddr("8.8.8.8")
-	require.NoError(t, err)
-
-	account := &types.Account{
-		Id:        accountID,
-		CreatedBy: "user1",
-		Domain:    "example.test",
-		Settings:  &types.Settings{},
-		Network:   &types.Network{Identifier: "net-test"},
-		Users: map[string]*types.User{
-			"user1": {Id: "user1", AccountID: accountID, Role: types.UserRoleOwner},
-		},
-		Groups: map[string]*types.Group{
-			"g1": {ID: "g1", AccountID: accountID, Name: "g1", Issued: types.GroupIssuedAPI},
-		},
-		Policies: []*types.Policy{
-			{ID: "p1", AccountID: accountID, Name: "p1", Enabled: true,
-				Rules: []*types.PolicyRule{{ID: "r1", PolicyID: "p1", Enabled: true}}},
-		},
-		Routes: map[route.ID]*route.Route{
-			"rt1": {ID: "rt1", AccountID: accountID, NetID: "net1", Peer: "peer1"},
-		},
-		NameServerGroups: map[string]*nbdns.NameServerGroup{
-			"nsg1": {ID: "nsg1", AccountID: accountID, Name: "nsg1", Enabled: true,
-				NameServers: []nbdns.NameServer{{IP: addr, NSType: nbdns.UDPNameServerType, Port: 53}}},
-		},
-		NetworkResources: []*resourceTypes.NetworkResource{
-			{ID: "nr1", AccountID: accountID, NetworkID: "net1", Name: "res1", Enabled: true},
-		},
-		NetworkRouters: []*routerTypes.NetworkRouter{
-			{ID: "nrt1", AccountID: accountID, NetworkID: "net1", Peer: "peer1", Enabled: true},
-		},
-		Networks: []*networkTypes.Network{
-			{ID: "n1", AccountID: accountID, Name: "n1"},
-		},
-		PostureChecks: []*posture.Checks{
-			{ID: "pc1", AccountID: accountID, Name: "pc1",
-				Checks: posture.ChecksDefinition{
-					NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.26.0"},
-				}},
-		},
-	}
-
-	require.NoError(t, store.SaveAccount(ctx, account))
-
-	after, err := store.GetAccount(ctx, accountID)
-	require.NoError(t, err)
-
-	require.Len(t, after.Groups, 1)
-	require.Len(t, after.Policies, 1)
-	require.Len(t, after.Routes, 1)
-	require.Len(t, after.NameServerGroups, 1)
-	require.Len(t, after.NetworkResources, 1)
-	require.Len(t, after.NetworkRouters, 1)
-	require.Len(t, after.Networks, 1)
-	require.Len(t, after.PostureChecks, 1)
-
-	for _, g := range after.Groups {
-		require.NotZero(t, g.AccountSeqID, "group seq must be allocated")
-	}
-	for _, p := range after.Policies {
-		require.NotZero(t, p.AccountSeqID, "policy seq must be allocated")
-	}
-	for _, r := range after.Routes {
-		require.NotZero(t, r.AccountSeqID, "route seq must be allocated (slice-of-value addressability)")
-	}
-	for _, n := range after.NameServerGroups {
-		require.NotZero(t, n.AccountSeqID, "name_server_group seq must be allocated (slice-of-value addressability)")
-	}
-	for _, nr := range after.NetworkResources {
-		require.NotZero(t, nr.AccountSeqID, "network_resource seq must be allocated")
-	}
-	for _, nr := range after.NetworkRouters {
-		require.NotZero(t, nr.AccountSeqID, "network_router seq must be allocated")
-	}
-	for _, n := range after.Networks {
-		require.NotZero(t, n.AccountSeqID, "network seq must be allocated")
-	}
-	for _, pc := range after.PostureChecks {
-		require.NotZero(t, pc.AccountSeqID, "posture_check seq must be allocated")
-	}
-
-	require.NoError(t, store.SaveAccount(ctx, after))
-	final, err := store.GetAccount(ctx, accountID)
-	require.NoError(t, err)
-	for _, r := range final.Routes {
-		require.Equal(t, after.Routes[r.ID].AccountSeqID, r.AccountSeqID, "route seq preserved on re-save")
-	}
-	for _, n := range final.NameServerGroups {
-		require.Equal(t, after.NameServerGroups[n.ID].AccountSeqID, n.AccountSeqID, "name_server_group seq preserved on re-save")
-	}
-	afterByID := map[string]uint32{}
-	for _, n := range after.Networks {
-		afterByID[n.ID] = n.AccountSeqID
-	}
-	for _, n := range final.Networks {
-		require.Equal(t, afterByID[n.ID], n.AccountSeqID, "network seq preserved on re-save")
-	}
-	afterPCByID := map[string]uint32{}
-	for _, pc := range after.PostureChecks {
-		afterPCByID[pc.ID] = pc.AccountSeqID
-	}
-	for _, pc := range final.PostureChecks {
-		require.Equal(t, afterPCByID[pc.ID], pc.AccountSeqID, "posture_check seq preserved on re-save")
-	}
-}
-
-func TestAllocateAccountSeqID_ConcurrentSameAccountEntity(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	ctx := context.Background()
-	const accountID = "concurrent-test"
-	const entity = types.AccountSeqEntityPolicy
-	const goroutines = 32
-
-	type result struct {
-		seq uint32
-		err error
-	}
-	results := make(chan result, goroutines)
-	start := make(chan struct{})
-
-	for i := 0; i < goroutines; i++ {
-		go func() {
-			<-start
-			var allocated uint32
-			err := store.ExecuteInTransaction(ctx, func(tx Store) error {
-				seq, err := tx.AllocateAccountSeqID(ctx, accountID, entity)
-				allocated = seq
-				return err
-			})
-			results <- result{seq: allocated, err: err}
-		}()
-	}
-	close(start)
-
-	seen := make(map[uint32]int, goroutines)
-	for i := 0; i < goroutines; i++ {
-		r := <-results
-		require.NoError(t, r.err, "concurrent allocate must not fail")
-		require.NotZero(t, r.seq, "allocated seq must be non-zero")
-		seen[r.seq]++
-	}
-
-	require.Lenf(t, seen, goroutines, "every concurrent allocation must yield a unique id; got duplicates in %v", seen)
-	for i := uint32(1); i <= goroutines; i++ {
-		require.Equalf(t, 1, seen[i], "id %d must appear exactly once across concurrent allocations", i)
-	}
-}
-
-func TestStoreCreateGroups_AllocatedSeqIDIsNotClobbered(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	ctx := context.Background()
-	const accountID = "bf1c8084-ba50-4ce7-9439-34653001fc3b"
-
-	groups := []*types.Group{
-		{ID: "seq-test-g1", AccountID: accountID, Name: "g1", Issued: "jwt", AccountSeqID: 7777},
-		{ID: "seq-test-g2", AccountID: accountID, Name: "g2", Issued: "jwt", AccountSeqID: 7778},
-	}
-	require.NoError(t, store.CreateGroups(ctx, accountID, groups))
-
-	for _, want := range groups {
-		got, err := store.GetGroupByID(ctx, LockingStrengthNone, accountID, want.ID)
-		require.NoError(t, err)
-		require.Equal(t, want.AccountSeqID, got.AccountSeqID, "seq id from caller must be persisted on insert")
-	}
-
-	groups[0].Name = "g1-renamed"
-	groups[0].AccountSeqID = 0
-	require.NoError(t, store.CreateGroups(ctx, accountID, groups[:1]))
-
-	got, err := store.GetGroupByID(ctx, LockingStrengthNone, accountID, "seq-test-g1")
-	require.NoError(t, err)
-	require.Equal(t, "g1-renamed", got.Name, "upsert path still updates other columns")
-	require.Equal(t, uint32(7777), got.AccountSeqID, "upsert path must NOT overwrite account_seq_id")
-}
-
-func TestPolicyCreate_AllocatesSeqID(t *testing.T) {
-	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", t.TempDir())
-	t.Cleanup(cleanup)
-	require.NoError(t, err)
-
-	ctx := context.Background()
-	const accountID = "bf1c8084-ba50-4ce7-9439-34653001fc3b"
-
-	existing, err := store.GetAccountPolicies(ctx, LockingStrengthNone, accountID)
-	require.NoError(t, err)
-	maxSeq := uint32(0)
-	for _, p := range existing {
-		if p.AccountSeqID > maxSeq {
-			maxSeq = p.AccountSeqID
-		}
-	}
-
-	require.NoError(t, store.ExecuteInTransaction(ctx, func(tx Store) error {
-		seq, err := tx.AllocateAccountSeqID(ctx, accountID, types.AccountSeqEntityPolicy)
-		if err != nil {
-			return err
-		}
-		require.Equal(t, maxSeq+1, seq, "next id should be max+1 after backfill")
-
-		newPolicy := &types.Policy{
-			ID:           "bench-new-policy",
-			AccountID:    accountID,
-			AccountSeqID: seq,
-			Enabled:      true,
-			Rules: []*types.PolicyRule{{
-				ID:            "bench-new-policy-rule",
-				PolicyID:      "bench-new-policy",
-				Enabled:       true,
-				Action:        types.PolicyTrafficActionAccept,
-				Sources:       []string{"groupA"},
-				Destinations:  []string{"groupC"},
-				Bidirectional: true,
-			}},
-		}
-		return tx.CreatePolicy(ctx, newPolicy)
-	}))
-
-	created, err := store.GetPolicyByID(ctx, LockingStrengthNone, accountID, "bench-new-policy")
-	require.NoError(t, err)
-	require.Equal(t, maxSeq+1, created.AccountSeqID)
-}

management/server/store/sql_store.go

@@ -137,7 +137,6 @@ func NewSqlStore(ctx context.Context, db *gorm.DB, storeEngine types.Engine, met
 		&networkTypes.Network{}, &routerTypes.NetworkRouter{}, &resourceTypes.NetworkResource{}, &types.AccountOnboarding{},
 		&types.Job{}, &zones.Zone{}, &records.Record{}, &types.UserInviteRecord{}, &rpservice.Service{}, &rpservice.Target{}, &domain.Domain{},
 		&accesslogs.AccessLogEntry{}, &proxy.Proxy{},
-		&types.AccountSeqCounter{},
 	)
 	if err != nil {
 		return nil, fmt.Errorf("auto migratePreAuto: %w", err)
@@ -309,10 +308,6 @@ func (s *SqlStore) SaveAccount(ctx context.Context, account *types.Account) erro
 			return result.Error
 		}
 
-		if err := s.assignAccountSeqIDs(ctx, tx, account); err != nil {
-			return fmt.Errorf("assign seq ids: %w", err)
-		}
-
 		result = tx.
 			Session(&gorm.Session{FullSaveAssociations: true}).
 			Clauses(clause.OnConflict{UpdateAll: true}).
@@ -664,22 +659,6 @@ func (s *SqlStore) SaveUser(ctx context.Context, user *types.User) error {
 }
 
 // CreateGroups creates the given list of groups to the database.
-// groupUpsertColumns is the explicit allowlist of columns that get updated when
-// CreateGroups / UpdateGroups hit a PK conflict. account_seq_id is intentionally
-// omitted so a caller passing an entity with the zero value (e.g. an HTTP
-// handler-built struct) cannot reset the persisted seq id during an upsert.
-// Keep this in sync with the Group schema in management/server/types/group.go.
-func groupUpsertColumns() clause.Set {
-	return clause.AssignmentColumns([]string{
-		"account_id",
-		"name",
-		"issued",
-		"integration_ref_id",
-		"integration_ref_integration_type",
-		"resources",
-	})
-}
-
 func (s *SqlStore) CreateGroups(ctx context.Context, accountID string, groups []*types.Group) error {
 	if len(groups) == 0 {
 		return nil
@@ -689,9 +668,8 @@ func (s *SqlStore) CreateGroups(ctx context.Context, accountID string, groups []
 		result := tx.
 			Clauses(
 				clause.OnConflict{
-					Columns:   []clause.Column{{Name: "id"}},
 					Where:     clause.Where{Exprs: []clause.Expression{clause.Eq{Column: "groups.account_id", Value: accountID}}},
-					DoUpdates: groupUpsertColumns(),
+					UpdateAll: true,
 				},
 			).
 			Omit(clause.Associations).
@@ -715,9 +693,8 @@ func (s *SqlStore) UpdateGroups(ctx context.Context, accountID string, groups []
 		result := tx.
 			Clauses(
 				clause.OnConflict{
-					Columns:   []clause.Column{{Name: "id"}},
 					Where:     clause.Where{Exprs: []clause.Expression{clause.Eq{Column: "groups.account_id", Value: accountID}}},
-					DoUpdates: groupUpsertColumns(),
+					UpdateAll: true,
 				},
 			).
 			Omit(clause.Associations).
@@ -2063,7 +2040,7 @@ func (s *SqlStore) getUsers(ctx context.Context, accountID string) ([]types.User
 }
 
 func (s *SqlStore) getGroups(ctx context.Context, accountID string) ([]*types.Group, error) {
-	const query = `SELECT id, account_id, account_seq_id, name, issued, resources, integration_ref_id, integration_ref_integration_type FROM groups WHERE account_id = $1`
+	const query = `SELECT id, account_id, name, issued, resources, integration_ref_id, integration_ref_integration_type FROM groups WHERE account_id = $1`
 	rows, err := s.pool.Query(ctx, query, accountID)
 	if err != nil {
 		return nil, err
@@ -2073,7 +2050,7 @@ func (s *SqlStore) getGroups(ctx context.Context, accountID string) ([]*types.Gr
 		var resources []byte
 		var refID sql.NullInt64
 		var refType sql.NullString
-		err := row.Scan(&g.ID, &g.AccountID, &g.AccountSeqID, &g.Name, &g.Issued, &resources, &refID, &refType)
+		err := row.Scan(&g.ID, &g.AccountID, &g.Name, &g.Issued, &resources, &refID, &refType)
 		if err == nil {
 			if refID.Valid {
 				g.IntegrationReference.ID = int(refID.Int64)
@@ -2098,7 +2075,7 @@ func (s *SqlStore) getGroups(ctx context.Context, accountID string) ([]*types.Gr
 }
 
 func (s *SqlStore) getPolicies(ctx context.Context, accountID string) ([]*types.Policy, error) {
-	const query = `SELECT id, account_id, account_seq_id, name, description, enabled, source_posture_checks FROM policies WHERE account_id = $1`
+	const query = `SELECT id, account_id, name, description, enabled, source_posture_checks FROM policies WHERE account_id = $1`
 	rows, err := s.pool.Query(ctx, query, accountID)
 	if err != nil {
 		return nil, err
@@ -2107,7 +2084,7 @@ func (s *SqlStore) getPolicies(ctx context.Context, accountID string) ([]*types.
 		var p types.Policy
 		var checks []byte
 		var enabled sql.NullBool
-		err := row.Scan(&p.ID, &p.AccountID, &p.AccountSeqID, &p.Name, &p.Description, &enabled, &checks)
+		err := row.Scan(&p.ID, &p.AccountID, &p.Name, &p.Description, &enabled, &checks)
 		if err == nil {
 			if enabled.Valid {
 				p.Enabled = enabled.Bool
@@ -2125,7 +2102,7 @@ func (s *SqlStore) getPolicies(ctx context.Context, accountID string) ([]*types.
 }
 
 func (s *SqlStore) getRoutes(ctx context.Context, accountID string) ([]route.Route, error) {
-	const query = `SELECT id, account_id, account_seq_id, network, domains, keep_route, net_id, description, peer, peer_groups, network_type, masquerade, metric, enabled, groups, access_control_groups, skip_auto_apply FROM routes WHERE account_id = $1`
+	const query = `SELECT id, account_id, network, domains, keep_route, net_id, description, peer, peer_groups, network_type, masquerade, metric, enabled, groups, access_control_groups, skip_auto_apply FROM routes WHERE account_id = $1`
 	rows, err := s.pool.Query(ctx, query, accountID)
 	if err != nil {
 		return nil, err
@@ -2135,7 +2112,7 @@ func (s *SqlStore) getRoutes(ctx context.Context, accountID string) ([]route.Rou
 		var network, domains, peerGroups, groups, accessGroups []byte
 		var keepRoute, masquerade, enabled, skipAutoApply sql.NullBool
 		var metric sql.NullInt64
-		err := row.Scan(&r.ID, &r.AccountID, &r.AccountSeqID, &network, &domains, &keepRoute, &r.NetID, &r.Description, &r.Peer, &peerGroups, &r.NetworkType, &masquerade, &metric, &enabled, &groups, &accessGroups, &skipAutoApply)
+		err := row.Scan(&r.ID, &r.AccountID, &network, &domains, &keepRoute, &r.NetID, &r.Description, &r.Peer, &peerGroups, &r.NetworkType, &masquerade, &metric, &enabled, &groups, &accessGroups, &skipAutoApply)
 		if err == nil {
 			if keepRoute.Valid {
 				r.KeepRoute = keepRoute.Bool
@@ -2177,7 +2154,7 @@ func (s *SqlStore) getRoutes(ctx context.Context, accountID string) ([]route.Rou
 }
 
 func (s *SqlStore) getNameServerGroups(ctx context.Context, accountID string) ([]nbdns.NameServerGroup, error) {
-	const query = `SELECT id, account_id, account_seq_id, name, description, name_servers, groups, "primary", domains, enabled, search_domains_enabled FROM name_server_groups WHERE account_id = $1`
+	const query = `SELECT id, account_id, name, description, name_servers, groups, "primary", domains, enabled, search_domains_enabled FROM name_server_groups WHERE account_id = $1`
 	rows, err := s.pool.Query(ctx, query, accountID)
 	if err != nil {
 		return nil, err
@@ -2186,7 +2163,7 @@ func (s *SqlStore) getNameServerGroups(ctx context.Context, accountID string) ([
 		var n nbdns.NameServerGroup
 		var ns, groups, domains []byte
 		var primary, enabled, searchDomainsEnabled sql.NullBool
-		err := row.Scan(&n.ID, &n.AccountID, &n.AccountSeqID, &n.Name, &n.Description, &ns, &groups, &primary, &domains, &enabled, &searchDomainsEnabled)
+		err := row.Scan(&n.ID, &n.AccountID, &n.Name, &n.Description, &ns, &groups, &primary, &domains, &enabled, &searchDomainsEnabled)
 		if err == nil {
 			if primary.Valid {
 				n.Primary = primary.Bool
@@ -2222,7 +2199,7 @@ func (s *SqlStore) getNameServerGroups(ctx context.Context, accountID string) ([
 }
 
 func (s *SqlStore) getPostureChecks(ctx context.Context, accountID string) ([]*posture.Checks, error) {
-	const query = `SELECT id, account_id, account_seq_id, name, description, checks FROM posture_checks WHERE account_id = $1`
+	const query = `SELECT id, account_id, name, description, checks FROM posture_checks WHERE account_id = $1`
 	rows, err := s.pool.Query(ctx, query, accountID)
 	if err != nil {
 		return nil, err
@@ -2230,7 +2207,7 @@ func (s *SqlStore) getPostureChecks(ctx context.Context, accountID string) ([]*p
 	checks, err := pgx.CollectRows(rows, func(row pgx.CollectableRow) (*posture.Checks, error) {
 		var c posture.Checks
 		var checksDef []byte
-		err := row.Scan(&c.ID, &c.AccountID, &c.AccountSeqID, &c.Name, &c.Description, &checksDef)
+		err := row.Scan(&c.ID, &c.AccountID, &c.Name, &c.Description, &checksDef)
 		if err == nil && checksDef != nil {
 			_ = json.Unmarshal(checksDef, &c.Checks)
 		}
@@ -2410,7 +2387,7 @@ func (s *SqlStore) getServices(ctx context.Context, accountID string) ([]*rpserv
 }
 
 func (s *SqlStore) getNetworks(ctx context.Context, accountID string) ([]*networkTypes.Network, error) {
-	const query = `SELECT id, account_id, account_seq_id, name, description FROM networks WHERE account_id = $1`
+	const query = `SELECT id, account_id, name, description FROM networks WHERE account_id = $1`
 	rows, err := s.pool.Query(ctx, query, accountID)
 	if err != nil {
 		return nil, err
@@ -2427,7 +2404,7 @@ func (s *SqlStore) getNetworks(ctx context.Context, accountID string) ([]*networ
 }
 
 func (s *SqlStore) getNetworkRouters(ctx context.Context, accountID string) ([]*routerTypes.NetworkRouter, error) {
-	const query = `SELECT id, network_id, account_id, account_seq_id, peer, peer_groups, masquerade, metric, enabled FROM network_routers WHERE account_id = $1`
+	const query = `SELECT id, network_id, account_id, peer, peer_groups, masquerade, metric, enabled FROM network_routers WHERE account_id = $1`
 	rows, err := s.pool.Query(ctx, query, accountID)
 	if err != nil {
 		return nil, err
@@ -2437,7 +2414,7 @@ func (s *SqlStore) getNetworkRouters(ctx context.Context, accountID string) ([]*
 		var peerGroups []byte
 		var masquerade, enabled sql.NullBool
 		var metric sql.NullInt64
-		err := row.Scan(&r.ID, &r.NetworkID, &r.AccountID, &r.AccountSeqID, &r.Peer, &peerGroups, &masquerade, &metric, &enabled)
+		err := row.Scan(&r.ID, &r.NetworkID, &r.AccountID, &r.Peer, &peerGroups, &masquerade, &metric, &enabled)
 		if err == nil {
 			if masquerade.Valid {
 				r.Masquerade = masquerade.Bool
@@ -2465,7 +2442,7 @@ func (s *SqlStore) getNetworkRouters(ctx context.Context, accountID string) ([]*
 }
 
 func (s *SqlStore) getNetworkResources(ctx context.Context, accountID string) ([]*resourceTypes.NetworkResource, error) {
-	const query = `SELECT id, network_id, account_id, account_seq_id, name, description, type, domain, prefix, enabled FROM network_resources WHERE account_id = $1`
+	const query = `SELECT id, network_id, account_id, name, description, type, domain, prefix, enabled FROM network_resources WHERE account_id = $1`
 	rows, err := s.pool.Query(ctx, query, accountID)
 	if err != nil {
 		return nil, err
@@ -2474,7 +2451,7 @@ func (s *SqlStore) getNetworkResources(ctx context.Context, accountID string) ([
 		var r resourceTypes.NetworkResource
 		var prefix []byte
 		var enabled sql.NullBool
-		err := row.Scan(&r.ID, &r.NetworkID, &r.AccountID, &r.AccountSeqID, &r.Name, &r.Description, &r.Type, &r.Domain, &prefix, &enabled)
+		err := row.Scan(&r.ID, &r.NetworkID, &r.AccountID, &r.Name, &r.Description, &r.Type, &r.Domain, &prefix, &enabled)
 		if err == nil {
 			if enabled.Valid {
 				r.Enabled = enabled.Bool
@@ -3647,262 +3624,6 @@ func (s *SqlStore) withTx(tx *gorm.DB) Store {
 	}
 }
 
-// AllocateAccountSeqID returns the next per-account integer id for the given
-// component kind. Must be called inside ExecuteInTransaction so the increment
-// is serialized with the component insert.
-func (s *SqlStore) AllocateAccountSeqID(ctx context.Context, accountID string, entity types.AccountSeqEntity) (uint32, error) {
-	return allocateAccountSeqID(ctx, s.db, s.storeEngine, accountID, entity)
-}
-
-func allocateAccountSeqID(_ context.Context, db *gorm.DB, engine types.Engine, accountID string, entity types.AccountSeqEntity) (uint32, error) {
-	switch engine {
-	case types.PostgresStoreEngine, types.SqliteStoreEngine:
-		return allocateAccountSeqIDReturning(db, accountID, entity)
-	case types.MysqlStoreEngine:
-		return allocateAccountSeqIDMysql(db, accountID, entity)
-	default:
-		return 0, fmt.Errorf("unsupported store engine for account_seq allocator: %v", engine)
-	}
-}
-
-// allocateAccountSeqIDReturning runs a single atomic INSERT ... ON CONFLICT
-// DO UPDATE ... RETURNING that gives us the allocated id without a separate
-// SELECT FOR UPDATE. Two concurrent allocations for the same (account, entity)
-// produce two distinct ids: one wins the INSERT, the other wins the UPDATE
-// branch and returns next_id+1.
-func allocateAccountSeqIDReturning(db *gorm.DB, accountID string, entity types.AccountSeqEntity) (uint32, error) {
-	const sqlStr = `
-		INSERT INTO account_seq_counters (account_id, entity, next_id)
-		VALUES (?, ?, 2)
-		ON CONFLICT (account_id, entity) DO UPDATE
-			SET next_id = account_seq_counters.next_id + 1
-		RETURNING (next_id - 1)
-	`
-	var allocated uint32
-	if err := db.Raw(sqlStr, accountID, string(entity)).Scan(&allocated).Error; err != nil {
-		return 0, fmt.Errorf("upsert account seq counter: %w", err)
-	}
-	if allocated == 0 {
-		return 0, fmt.Errorf("upsert account seq counter returned 0")
-	}
-	return allocated, nil
-}
-
-// allocateAccountSeqIDMysql is the MySQL equivalent of allocateAccountSeqIDReturning.
-// MySQL has no RETURNING on ON DUPLICATE KEY UPDATE, so we use the LAST_INSERT_ID
-// trick: passing an expression to LAST_INSERT_ID(expr) both sets the session value
-// and returns it from the INSERT. The INSERT's value uses LAST_INSERT_ID(2) so the
-// no-conflict path also surfaces the new next_id, keeping the read-back uniform.
-// LAST_INSERT_ID is per-connection; GORM transactions pin a single connection,
-// so the follow-up SELECT sees the same value.
-func allocateAccountSeqIDMysql(db *gorm.DB, accountID string, entity types.AccountSeqEntity) (uint32, error) {
-	const upsertSQL = `
-		INSERT INTO account_seq_counters (account_id, entity, next_id)
-		VALUES (?, ?, LAST_INSERT_ID(2))
-		ON DUPLICATE KEY UPDATE next_id = LAST_INSERT_ID(next_id + 1)
-	`
-	if err := db.Exec(upsertSQL, accountID, string(entity)).Error; err != nil {
-		return 0, fmt.Errorf("upsert account seq counter: %w", err)
-	}
-	var newNext uint64
-	if err := db.Raw("SELECT LAST_INSERT_ID()").Scan(&newNext).Error; err != nil {
-		return 0, fmt.Errorf("get last insert id: %w", err)
-	}
-	if newNext == 0 {
-		return 0, fmt.Errorf("LAST_INSERT_ID returned 0; account_seq_counters misconfigured")
-	}
-	return uint32(newNext - 1), nil
-}
-
-// assignAccountSeqIDs allocates a per-account integer id for any component on
-// the in-memory account whose AccountSeqID is zero. Called from SaveAccount so
-// the canonical "save the whole account" path produces the same persisted seq
-// ids that the manager-level Create paths produce. Update flows that go
-// through SaveAccount preserve existing non-zero values; for those, the
-// per-entity counter is bumped so subsequent AllocateAccountSeqID calls don't
-// hand out a colliding id.
-func (s *SqlStore) assignAccountSeqIDs(ctx context.Context, tx *gorm.DB, account *types.Account) error {
-	maxByEntity := make(map[types.AccountSeqEntity]uint32, 8)
-	bump := func(entity types.AccountSeqEntity, seq uint32) {
-		if seq > maxByEntity[entity] {
-			maxByEntity[entity] = seq
-		}
-	}
-
-	for i := range account.GroupsG {
-		g := account.GroupsG[i]
-		if g == nil {
-			continue
-		}
-		if g.AccountSeqID != 0 {
-			bump(types.AccountSeqEntityGroup, g.AccountSeqID)
-			continue
-		}
-		seq, err := allocateAccountSeqID(ctx, tx, s.storeEngine, account.Id, types.AccountSeqEntityGroup)
-		if err != nil {
-			return err
-		}
-		g.AccountSeqID = seq
-		// Defensive: generateAccountSQLTypes currently aliases the same
-		// *Group pointer into GroupsG and Groups[id] (so this is a no-op
-		// today), but mirror the seq anyway so any future divergence in
-		// how the two collections are populated doesn't silently leave
-		// the canonical map view stale.
-		if original, ok := account.Groups[g.ID]; ok && original != nil && original != g {
-			original.AccountSeqID = seq
-		}
-	}
-	for _, p := range account.Policies {
-		if p == nil {
-			continue
-		}
-		if p.AccountSeqID != 0 {
-			bump(types.AccountSeqEntityPolicy, p.AccountSeqID)
-			continue
-		}
-		seq, err := allocateAccountSeqID(ctx, tx, s.storeEngine, account.Id, types.AccountSeqEntityPolicy)
-		if err != nil {
-			return err
-		}
-		p.AccountSeqID = seq
-	}
-	for i := range account.RoutesG {
-		r := &account.RoutesG[i]
-		if r.AccountSeqID != 0 {
-			bump(types.AccountSeqEntityRoute, r.AccountSeqID)
-			continue
-		}
-		seq, err := allocateAccountSeqID(ctx, tx, s.storeEngine, account.Id, types.AccountSeqEntityRoute)
-		if err != nil {
-			return err
-		}
-		r.AccountSeqID = seq
-		// Mirror the new seq onto the canonical map view so callers that
-		// hold the same in-memory account post-Save read a consistent
-		// AccountSeqID — without this, components/encoder code would see
-		// 0 for routes saved this transaction until the account is reloaded.
-		if original, ok := account.Routes[r.ID]; ok && original != nil {
-			original.AccountSeqID = seq
-		}
-	}
-	for i := range account.NameServerGroupsG {
-		ng := &account.NameServerGroupsG[i]
-		if ng.AccountSeqID != 0 {
-			bump(types.AccountSeqEntityNameserverGroup, ng.AccountSeqID)
-			continue
-		}
-		seq, err := allocateAccountSeqID(ctx, tx, s.storeEngine, account.Id, types.AccountSeqEntityNameserverGroup)
-		if err != nil {
-			return err
-		}
-		ng.AccountSeqID = seq
-		if original, ok := account.NameServerGroups[ng.ID]; ok && original != nil {
-			original.AccountSeqID = seq
-		}
-	}
-	for _, nr := range account.NetworkResources {
-		if nr == nil {
-			continue
-		}
-		if nr.AccountSeqID != 0 {
-			bump(types.AccountSeqEntityNetworkResource, nr.AccountSeqID)
-			continue
-		}
-		seq, err := allocateAccountSeqID(ctx, tx, s.storeEngine, account.Id, types.AccountSeqEntityNetworkResource)
-		if err != nil {
-			return err
-		}
-		nr.AccountSeqID = seq
-	}
-	for _, nr := range account.NetworkRouters {
-		if nr == nil {
-			continue
-		}
-		if nr.AccountSeqID != 0 {
-			bump(types.AccountSeqEntityNetworkRouter, nr.AccountSeqID)
-			continue
-		}
-		seq, err := allocateAccountSeqID(ctx, tx, s.storeEngine, account.Id, types.AccountSeqEntityNetworkRouter)
-		if err != nil {
-			return err
-		}
-		nr.AccountSeqID = seq
-	}
-	for _, n := range account.Networks {
-		if n == nil {
-			continue
-		}
-		if n.AccountSeqID != 0 {
-			bump(types.AccountSeqEntityNetwork, n.AccountSeqID)
-			continue
-		}
-		seq, err := allocateAccountSeqID(ctx, tx, s.storeEngine, account.Id, types.AccountSeqEntityNetwork)
-		if err != nil {
-			return err
-		}
-		n.AccountSeqID = seq
-	}
-	for _, pc := range account.PostureChecks {
-		if pc == nil {
-			continue
-		}
-		if pc.AccountSeqID != 0 {
-			bump(types.AccountSeqEntityPostureCheck, pc.AccountSeqID)
-			continue
-		}
-		seq, err := allocateAccountSeqID(ctx, tx, s.storeEngine, account.Id, types.AccountSeqEntityPostureCheck)
-		if err != nil {
-			return err
-		}
-		pc.AccountSeqID = seq
-	}
-	for entity, maxSeq := range maxByEntity {
-		if err := ensureAccountSeqCounter(tx, s.storeEngine, account.Id, entity, maxSeq+1); err != nil {
-			return fmt.Errorf("seed counter for %s: %w", entity, err)
-		}
-	}
-	return nil
-}
-
-// ensureAccountSeqCounter raises the per-account counter for entity to at
-// least target. Used when SaveAccount persists components that already carry
-// AccountSeqIDs (e.g. test bulk-load from sqlite to postgres, or migrations
-// running before component data lands) so that the next AllocateAccountSeqID
-// call returns a fresh id beyond what was just written.
-func ensureAccountSeqCounter(db *gorm.DB, engine types.Engine, accountID string, entity types.AccountSeqEntity, target uint32) error {
-	switch engine {
-	case types.PostgresStoreEngine, types.SqliteStoreEngine:
-		const sqlStr = `
-			INSERT INTO account_seq_counters (account_id, entity, next_id)
-			VALUES (?, ?, ?)
-			ON CONFLICT (account_id, entity) DO UPDATE
-				SET next_id = GREATEST(account_seq_counters.next_id, EXCLUDED.next_id)
-		`
-		// sqlite's UPSERT understands max() but the migration uses GREATEST
-		// for postgres and max() for sqlite. We collapse to dialect-specific
-		// statements only when needed.
-		if engine == types.SqliteStoreEngine {
-			const sqliteSQL = `
-				INSERT INTO account_seq_counters (account_id, entity, next_id)
-				VALUES (?, ?, ?)
-				ON CONFLICT (account_id, entity) DO UPDATE
-					SET next_id = max(account_seq_counters.next_id, excluded.next_id)
-			`
-			return db.Exec(sqliteSQL, accountID, string(entity), target).Error
-		}
-		return db.Exec(sqlStr, accountID, string(entity), target).Error
-	case types.MysqlStoreEngine:
-		const sqlStr = `
-			INSERT INTO account_seq_counters (account_id, entity, next_id)
-			VALUES (?, ?, ?)
-			ON DUPLICATE KEY UPDATE next_id = GREATEST(next_id, VALUES(next_id))
-		`
-		return db.Exec(sqlStr, accountID, string(entity), target).Error
-	default:
-		return fmt.Errorf("unsupported store engine for account_seq counter: %v", engine)
-	}
-}
-
 // transaction wraps a GORM transaction with MySQL-specific FK checks handling
 // Use this instead of db.Transaction() directly to avoid deadlocks on MySQL/Aurora
 func (s *SqlStore) transaction(fn func(*gorm.DB) error) error {
@@ -4092,7 +3813,7 @@ func (s *SqlStore) UpdateGroup(ctx context.Context, group *types.Group) error {
 		return status.Errorf(status.InvalidArgument, "group is nil")
 	}
 
-	if err := s.db.Omit(clause.Associations, "account_seq_id").Save(group).Error; err != nil {
+	if err := s.db.Omit(clause.Associations).Save(group).Error; err != nil {
 		log.WithContext(ctx).Errorf("failed to save group to store: %v", err)
 		return status.Errorf(status.Internal, "failed to save group to store")
 	}
@@ -4180,7 +3901,7 @@ func (s *SqlStore) CreatePolicy(ctx context.Context, policy *types.Policy) error
 
 // SavePolicy saves a policy to the database.
 func (s *SqlStore) SavePolicy(ctx context.Context, policy *types.Policy) error {
-	result := s.db.Session(&gorm.Session{FullSaveAssociations: true}).Omit("account_seq_id").Save(policy)
+	result := s.db.Session(&gorm.Session{FullSaveAssociations: true}).Save(policy)
 	if err := result.Error; err != nil {
 		log.WithContext(ctx).Errorf("failed to save policy to the store: %s", err)
 		return status.Errorf(status.Internal, "failed to save policy to store")

management/server/store/store.go

@@ -223,11 +223,6 @@ type Store interface {
 	GetStoreEngine() types.Engine
 	ExecuteInTransaction(ctx context.Context, f func(store Store) error) error
 
-	// AllocateAccountSeqID returns the next per-account integer id for the given
-	// component kind. Must run inside a transaction so the increment is serialized
-	// with the component insert.
-	AllocateAccountSeqID(ctx context.Context, accountID string, entity types.AccountSeqEntity) (uint32, error)
-
 	GetAccountNetworks(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*networkTypes.Network, error)
 	GetNetworkByID(ctx context.Context, lockStrength LockingStrength, accountID, networkID string) (*networkTypes.Network, error)
 	SaveNetwork(ctx context.Context, network *networkTypes.Network) error
@@ -564,30 +559,6 @@ func getMigrationsPostAuto(ctx context.Context) []migrationFunc {
 		func(db *gorm.DB) error {
 			return migration.DropIndex[proxy.Proxy](ctx, db, "idx_proxy_account_id_unique")
 		},
-		func(db *gorm.DB) error {
-			return migration.BackfillAccountSeqIDs[types.Policy](ctx, db, types.AccountSeqEntityPolicy, "id")
-		},
-		func(db *gorm.DB) error {
-			return migration.BackfillAccountSeqIDs[types.Group](ctx, db, types.AccountSeqEntityGroup, "id")
-		},
-		func(db *gorm.DB) error {
-			return migration.BackfillAccountSeqIDs[route.Route](ctx, db, types.AccountSeqEntityRoute, "id")
-		},
-		func(db *gorm.DB) error {
-			return migration.BackfillAccountSeqIDs[resourceTypes.NetworkResource](ctx, db, types.AccountSeqEntityNetworkResource, "id")
-		},
-		func(db *gorm.DB) error {
-			return migration.BackfillAccountSeqIDs[routerTypes.NetworkRouter](ctx, db, types.AccountSeqEntityNetworkRouter, "id")
-		},
-		func(db *gorm.DB) error {
-			return migration.BackfillAccountSeqIDs[dns.NameServerGroup](ctx, db, types.AccountSeqEntityNameserverGroup, "id")
-		},
-		func(db *gorm.DB) error {
-			return migration.BackfillAccountSeqIDs[networkTypes.Network](ctx, db, types.AccountSeqEntityNetwork, "id")
-		},
-		func(db *gorm.DB) error {
-			return migration.BackfillAccountSeqIDs[posture.Checks](ctx, db, types.AccountSeqEntityPostureCheck, "id")
-		},
 	}
 }
 

management/server/store/store_mock.go

@@ -774,21 +774,6 @@ func (mr *MockStoreMockRecorder) EphemeralServiceExists(ctx, lockStrength, accou
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EphemeralServiceExists", reflect.TypeOf((*MockStore)(nil).EphemeralServiceExists), ctx, lockStrength, accountID, peerID, domain)
 }
 
-// AllocateAccountSeqID mocks base method.
-func (m *MockStore) AllocateAccountSeqID(ctx context.Context, accountID string, entity types2.AccountSeqEntity) (uint32, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "AllocateAccountSeqID", ctx, accountID, entity)
-	ret0, _ := ret[0].(uint32)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AllocateAccountSeqID indicates an expected call of AllocateAccountSeqID.
-func (mr *MockStoreMockRecorder) AllocateAccountSeqID(ctx, accountID, entity interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AllocateAccountSeqID", reflect.TypeOf((*MockStore)(nil).AllocateAccountSeqID), ctx, accountID, entity)
-}
-
 // ExecuteInTransaction mocks base method.
 func (m *MockStore) ExecuteInTransaction(ctx context.Context, f func(Store) error) error {
 	m.ctrl.T.Helper()

management/server/types/account.go

@@ -29,6 +29,7 @@ import (
 	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/shared/management/status"
+	"github.com/netbirdio/netbird/version"
 )
 
 const (
@@ -41,8 +42,27 @@ const (
 	PublicCategory  = "public"
 	PrivateCategory = "private"
 	UnknownCategory = "unknown"
+
+	// firewallRuleMinPortRangesVer defines the minimum peer version that supports port range rules.
+	firewallRuleMinPortRangesVer = "0.48.0"
+	// firewallRuleMinNativeSSHVer defines the minimum peer version that supports native SSH features in the firewall rules.
+	firewallRuleMinNativeSSHVer = "0.60.0"
+
+	// nativeSSHPortString defines the default port number as a string used for native SSH connections; this port is used by clients when hijacking ssh connections.
+	nativeSSHPortString = "22022"
+	nativeSSHPortNumber = 22022
+	// defaultSSHPortString defines the standard SSH port number as a string, commonly used for default SSH connections.
+	defaultSSHPortString = "22"
+	defaultSSHPortNumber = 22
 )
 
+type supportedFeatures struct {
+	nativeSSH  bool
+	portRanges bool
+}
+
+type LookupMap map[string]struct{}
+
 // AccountMeta is a struct that contains a stripped down version of the Account object.
 // It doesn't carry any peers, groups, policies, or routes, etc. Just some metadata (e.g. ID, created by, created at, etc).
 type AccountMeta struct {
@@ -1050,7 +1070,7 @@ func (a *Account) GetPeerConnectionResources(ctx context.Context, peer *nbpeer.P
 				default:
 					authorizedUsers[auth.Wildcard] = a.getAllowedUserIDs()
 				}
-			} else if peerInDestinations && PolicyRuleImpliesLegacySSH(rule) && peer.SSHEnabled {
+			} else if peerInDestinations && policyRuleImpliesLegacySSH(rule) && peer.SSHEnabled {
 				sshEnabled = true
 				authorizedUsers[auth.Wildcard] = a.getAllowedUserIDs()
 			}
@@ -1116,15 +1136,15 @@ func (a *Account) connResourcesGenerator(ctx context.Context, targetPeer *nbpeer
 				if len(rule.Ports) == 0 && len(rule.PortRanges) == 0 {
 					rules = append(rules, &fr)
 				} else {
-					rules = append(rules, ExpandPortsAndRanges(fr, rule, targetPeer)...)
+					rules = append(rules, expandPortsAndRanges(fr, rule, targetPeer)...)
 				}
 
-				rules = AppendIPv6FirewallRule(rules, rulesExists, peer, targetPeer, rule, FirewallRuleContext{
-					Direction:   direction,
-					DirStr:      strconv.Itoa(direction),
-					ProtocolStr: string(protocol),
-					ActionStr:   string(rule.Action),
-					PortsJoined: strings.Join(rule.Ports, ","),
+				rules = appendIPv6FirewallRule(rules, rulesExists, peer, targetPeer, rule, firewallRuleContext{
+					direction:   direction,
+					dirStr:      strconv.Itoa(direction),
+					protocolStr: string(protocol),
+					actionStr:   string(rule.Action),
+					portsJoined: strings.Join(rule.Ports, ","),
 				})
 			}
 		}, func() ([]*nbpeer.Peer, []*FirewallRule) {
@@ -1132,6 +1152,10 @@ func (a *Account) connResourcesGenerator(ctx context.Context, targetPeer *nbpeer
 		}
 }
 
+func policyRuleImpliesLegacySSH(rule *PolicyRule) bool {
+	return rule.Protocol == PolicyRuleProtocolALL || (rule.Protocol == PolicyRuleProtocolTCP && (portsIncludesSSH(rule.Ports) || portRangeIncludesSSH(rule.PortRanges)))
+}
+
 // PeerSSHEnabledFromPolicies is the network-map-free equivalent of the sshEnabled
 // determination in GetPeerConnectionResources / CalculateNetworkMapFromComponents.
 func PeerSSHEnabledFromPolicies(policies []*Policy, peerID string, peerGroupIDs map[string]struct{}, peerSSHEnabled bool) bool {
@@ -1146,7 +1170,7 @@ func PeerSSHEnabledFromPolicies(policies []*Policy, peerID string, peerGroupIDs
 			}
 
 			isSSHRule := rule.Protocol == PolicyRuleProtocolNetbirdSSH ||
-				(PolicyRuleImpliesLegacySSH(rule) && peerSSHEnabled)
+				(policyRuleImpliesLegacySSH(rule) && peerSSHEnabled)
 			if !isSSHRule {
 				continue
 			}
@@ -1173,6 +1197,24 @@ func ruleHasDestination(rule *PolicyRule, peerID string, peerGroupIDs map[string
 	return false
 }
 
+func portRangeIncludesSSH(portRanges []RulePortRange) bool {
+	for _, pr := range portRanges {
+		if (pr.Start <= defaultSSHPortNumber && pr.End >= defaultSSHPortNumber) || (pr.Start <= nativeSSHPortNumber && pr.End >= nativeSSHPortNumber) {
+			return true
+		}
+	}
+	return false
+}
+
+func portsIncludesSSH(ports []string) bool {
+	for _, port := range ports {
+		if port == defaultSSHPortString || port == nativeSSHPortString {
+			return true
+		}
+	}
+	return false
+}
+
 // getAllPeersFromGroups for given peer ID and list of groups
 //
 // Returns a list of peers from specified groups that pass specified posture checks
@@ -1272,7 +1314,7 @@ func (a *Account) getRouteFirewallRules(ctx context.Context, peerID string, poli
 			}
 
 			rulePeers := a.getRulePeers(rule, policy.SourcePostureChecks, peerID, distributionPeers, validatedPeersMap)
-			rules := GenerateRouteFirewallRules(ctx, route, rule, rulePeers, FirewallRuleDirectionIN, includeIPv6)
+			rules := generateRouteFirewallRules(ctx, route, rule, rulePeers, FirewallRuleDirectionIN, includeIPv6)
 			fwRules = append(fwRules, rules...)
 		}
 	}
@@ -1765,6 +1807,96 @@ func (a *Account) createProxyPolicy(svc *service.Service, target *service.Target
 	}
 }
 
+// expandPortsAndRanges expands Ports and PortRanges of a rule into individual firewall rules
+func expandPortsAndRanges(base FirewallRule, rule *PolicyRule, peer *nbpeer.Peer) []*FirewallRule {
+	features := peerSupportedFirewallFeatures(peer.Meta.WtVersion)
+
+	var expanded []*FirewallRule
+
+	for _, port := range rule.Ports {
+		fr := base
+		fr.Port = port
+		expanded = append(expanded, &fr)
+	}
+
+	for _, portRange := range rule.PortRanges {
+		// prefer PolicyRule.Ports
+		if len(rule.Ports) > 0 {
+			break
+		}
+		fr := base
+
+		if features.portRanges {
+			fr.PortRange = portRange
+		} else {
+			// Peer doesn't support port ranges, only allow single-port ranges
+			if portRange.Start != portRange.End {
+				continue
+			}
+			fr.Port = strconv.FormatUint(uint64(portRange.Start), 10)
+		}
+		expanded = append(expanded, &fr)
+	}
+
+	if shouldCheckRulesForNativeSSH(features.nativeSSH, rule, peer) || rule.Protocol == PolicyRuleProtocolNetbirdSSH {
+		expanded = addNativeSSHRule(base, expanded)
+	}
+
+	return expanded
+}
+
+// addNativeSSHRule adds a native SSH rule (port 22022) to the expanded rules if the base rule has port 22 configured.
+func addNativeSSHRule(base FirewallRule, expanded []*FirewallRule) []*FirewallRule {
+	shouldAdd := false
+	for _, fr := range expanded {
+		if isPortInRule(nativeSSHPortString, 22022, fr) {
+			return expanded
+		}
+		if isPortInRule(defaultSSHPortString, 22, fr) {
+			shouldAdd = true
+		}
+	}
+	if !shouldAdd {
+		return expanded
+	}
+
+	fr := base
+	fr.Port = nativeSSHPortString
+	return append(expanded, &fr)
+}
+
+func isPortInRule(portString string, portInt uint16, rule *FirewallRule) bool {
+	return rule.Port == portString || (rule.PortRange.Start <= portInt && portInt <= rule.PortRange.End)
+}
+
+// shouldCheckRulesForNativeSSH determines whether specific policy rules should be checked for native SSH support.
+// While users can add the nativeSSHPortString, we look for cases when they used port 22 and based on SSH enabled
+// in both management and client, we indicate to add the native port.
+func shouldCheckRulesForNativeSSH(supportsNative bool, rule *PolicyRule, peer *nbpeer.Peer) bool {
+	return supportsNative && peer.SSHEnabled && peer.Meta.Flags.ServerSSHAllowed && rule.Protocol == PolicyRuleProtocolTCP
+}
+
+// peerSupportedFirewallFeatures checks if the peer version supports port ranges.
+func peerSupportedFirewallFeatures(peerVer string) supportedFeatures {
+	if version.IsDevelopmentVersion(peerVer) {
+		return supportedFeatures{true, true}
+	}
+
+	var features supportedFeatures
+
+	meetMinVer, err := posture.MeetsMinVersion(firewallRuleMinNativeSSHVer, peerVer)
+	features.nativeSSH = err == nil && meetMinVer
+
+	if features.nativeSSH {
+		features.portRanges = true
+	} else {
+		meetMinVer, err = posture.MeetsMinVersion(firewallRuleMinPortRangesVer, peerVer)
+		features.portRanges = err == nil && meetMinVer
+	}
+
+	return features
+}
+
 // filterZoneRecordsForPeers filters DNS records to only include peers to connect.
 // AAAA records are excluded when the requesting peer lacks IPv6 capability.
 func filterZoneRecordsForPeers(peer *nbpeer.Peer, customZone nbdns.CustomZone, peersToConnect, expiredPeers []*nbpeer.Peer) []nbdns.SimpleRecord {

management/server/types/account_components.go

@@ -16,49 +16,6 @@ import (
 	"github.com/netbirdio/netbird/route"
 )
 
-// GetPeerNetworkMapResult dispatches to either the legacy-NetworkMap path or
-// the components path based on the peer's capability and the kill switch.
-// Capable peers (PeerCapabilityComponentNetworkMap) get the raw components
-// shape — the server skips Calculate() entirely for them, saving CPU
-// proportional to the number of capable peers in the account. Legacy peers
-// (or any peer when componentsDisabled is true) get the fully-expanded
-// NetworkMap as before.
-func (a *Account) GetPeerNetworkMapResult(
-	ctx context.Context,
-	peerID string,
-	componentsDisabled bool,
-	peersCustomZone nbdns.CustomZone,
-	accountZones []*zones.Zone,
-	validatedPeersMap map[string]struct{},
-	resourcePolicies map[string][]*Policy,
-	routers map[string]map[string]*routerTypes.NetworkRouter,
-	metrics *telemetry.AccountManagerMetrics,
-	groupIDToUserIDs map[string][]string,
-) PeerNetworkMapResult {
-	peer := a.Peers[peerID]
-	if !componentsDisabled && peer != nil && peer.SupportsComponentNetworkMap() {
-		components := a.GetPeerNetworkMapComponents(
-			ctx, peerID, peersCustomZone, accountZones, validatedPeersMap, resourcePolicies, routers, groupIDToUserIDs,
-		)
-		// Mirror legacy graceful-degrade: GetPeerNetworkMapFromComponents
-		// returns &NetworkMap{Network: a.Network.Copy()} when components is
-		// nil. Match that floor so the receiving client always sees the
-		// account Network identifier, not a fully-empty envelope.
-		if components == nil {
-			components = &NetworkMapComponents{
-				PeerID:  peerID,
-				Network: a.Network.Copy(),
-			}
-		}
-		return PeerNetworkMapResult{Components: components}
-	}
-	return PeerNetworkMapResult{
-		NetworkMap: a.GetPeerNetworkMapFromComponents(
-			ctx, peerID, peersCustomZone, accountZones, validatedPeersMap, resourcePolicies, routers, metrics, groupIDToUserIDs,
-		),
-	}
-}
-
 func (a *Account) GetPeerNetworkMapFromComponents(
 	ctx context.Context,
 	peerID string,
@@ -125,27 +82,15 @@ func (a *Account) GetPeerNetworkMapComponents(
 	}
 
 	components := &NetworkMapComponents{
-		PeerID:               peerID,
-		Network:              a.Network.Copy(),
-		NameServerGroups:     make([]*nbdns.NameServerGroup, 0),
-		CustomZoneDomain:     peersCustomZone.Domain,
-		ResourcePoliciesMap:  make(map[string][]*Policy),
-		RoutersMap:           make(map[string]map[string]*routerTypes.NetworkRouter),
-		NetworkResources:     make([]*resourceTypes.NetworkResource, 0),
-		PostureFailedPeers:   make(map[string]map[string]struct{}, len(a.PostureChecks)),
-		RouterPeers:          make(map[string]*nbpeer.Peer),
-		NetworkXIDToSeq:      make(map[string]uint32, len(a.Networks)),
-		PostureCheckXIDToSeq: make(map[string]uint32, len(a.PostureChecks)),
-	}
-	for _, n := range a.Networks {
-		if n != nil && n.HasSeqID() {
-			components.NetworkXIDToSeq[n.ID] = n.AccountSeqID
-		}
-	}
-	for _, pc := range a.PostureChecks {
-		if pc != nil && pc.HasSeqID() {
-			components.PostureCheckXIDToSeq[pc.ID] = pc.AccountSeqID
-		}
+		PeerID:              peerID,
+		Network:             a.Network.Copy(),
+		NameServerGroups:    make([]*nbdns.NameServerGroup, 0),
+		CustomZoneDomain:    peersCustomZone.Domain,
+		ResourcePoliciesMap: make(map[string][]*Policy),
+		RoutersMap:          make(map[string]map[string]*routerTypes.NetworkRouter),
+		NetworkResources:    make([]*resourceTypes.NetworkResource, 0),
+		PostureFailedPeers:  make(map[string]map[string]struct{}, len(a.PostureChecks)),
+		RouterPeers:         make(map[string]*nbpeer.Peer),
 	}
 
 	components.AccountSettings = &AccountSettingsInfo{
@@ -264,26 +209,21 @@ func (a *Account) GetPeerNetworkMapComponents(
 			components.ResourcePoliciesMap[resource.ID] = policies
 		}
 
-		// Only expose router peers and the per-network routers_map when this
-		// target peer actually has access to the resource (either as a router
-		// itself or via a policy that includes it as a source). Without this
-		// gate, every peer's envelope was leaking router peers of every
-		// network in the account — accounts with many tenants/networks
-		// shipped tens of unrelated peers in `peers[]` and `routers_map`.
-		if addSourcePeers {
-			components.RoutersMap[resource.NetworkID] = networkRoutingPeers
-			for peerIDKey := range networkRoutingPeers {
-				if p := a.Peers[peerIDKey]; p != nil {
-					if _, exists := components.RouterPeers[peerIDKey]; !exists {
-						components.RouterPeers[peerIDKey] = p
-					}
-					if _, exists := components.Peers[peerIDKey]; !exists {
-						if _, validated := validatedPeersMap[peerIDKey]; validated {
-							components.Peers[peerIDKey] = p
-						}
+		components.RoutersMap[resource.NetworkID] = networkRoutingPeers
+		for peerIDKey := range networkRoutingPeers {
+			if p := a.Peers[peerIDKey]; p != nil {
+				if _, exists := components.RouterPeers[peerIDKey]; !exists {
+					components.RouterPeers[peerIDKey] = p
+				}
+				if _, exists := components.Peers[peerIDKey]; !exists {
+					if _, validated := validatedPeersMap[peerIDKey]; validated {
+						components.Peers[peerIDKey] = p
 					}
 				}
 			}
+		}
+
+		if addSourcePeers {
 			components.NetworkResources = append(components.NetworkResources, resource)
 		}
 	}
@@ -314,44 +254,18 @@ func (a *Account) getPeersGroupsPoliciesRoutes(
 
 	relevantPeerIDs[peerID] = a.GetPeer(peerID)
 
-	peerGroupSet := make(map[string]struct{}, 8)
 	for groupID, group := range a.Groups {
 		if slices.Contains(group.Peers, peerID) {
 			relevantGroupIDs[groupID] = a.GetGroup(groupID)
-			peerGroupSet[groupID] = struct{}{}
 		}
 	}
 
 	routeAccessControlGroups := make(map[string]struct{})
 	for _, r := range a.Routes {
-		if r == nil {
-			continue
-		}
-		relevant := r.Peer == peerID
-		if !relevant {
-			for _, groupID := range r.PeerGroups {
-				if _, ok := peerGroupSet[groupID]; ok {
-					relevant = true
-					break
-				}
-			}
-		}
-		if !relevant && r.Enabled {
-			for _, groupID := range r.Groups {
-				if _, ok := peerGroupSet[groupID]; ok {
-					relevant = true
-					break
-				}
-			}
-		}
-		if !relevant {
-			continue
-		}
-
-		for _, groupID := range r.PeerGroups {
+		for _, groupID := range r.Groups {
 			relevantGroupIDs[groupID] = a.GetGroup(groupID)
 		}
-		for _, groupID := range r.Groups {
+		for _, groupID := range r.PeerGroups {
 			relevantGroupIDs[groupID] = a.GetGroup(groupID)
 		}
 		if r.Enabled {
@@ -360,44 +274,6 @@ func (a *Account) getPeersGroupsPoliciesRoutes(
 				routeAccessControlGroups[groupID] = struct{}{}
 			}
 		}
-
-		// Include route advertisers in relevantPeerIDs. The envelope
-		// encoder writes route.peer_index by looking up r.Peer in the
-		// shipped peers list; if the advertiser is policy-isolated from
-		// the target peer (no rule edge between them), it would otherwise
-		// be omitted and the decoder would fail to resolve r.Peer, leaving
-		// the client without a WG tunnel target for this route. Legacy
-		// NetworkMap.Routes shipped the WG public key inline, so the
-		// equivalence path doesn't surface this — but the dependency is
-		// real once a client actually tries to use the route.
-		// Gate by validatedPeersMap so non-validated advertisers stay out
-		// (matches the network-resource router behaviour at the bottom of
-		// this loop, and the legacy invariant that only validated peers
-		// reach a client's view).
-		if r.Peer != "" {
-			if _, ok := validatedPeersMap[r.Peer]; ok {
-				if p := a.GetPeer(r.Peer); p != nil {
-					relevantPeerIDs[r.Peer] = p
-				}
-			}
-		}
-		for _, groupID := range r.PeerGroups {
-			g := a.GetGroup(groupID)
-			if g == nil {
-				continue
-			}
-			for _, pid := range g.Peers {
-				if _, exists := relevantPeerIDs[pid]; exists {
-					continue
-				}
-				if _, ok := validatedPeersMap[pid]; !ok {
-					continue
-				}
-				if p := a.GetPeer(pid); p != nil {
-					relevantPeerIDs[pid] = p
-				}
-			}
-		}
 		relevantRoutes = append(relevantRoutes, r)
 	}
 
@@ -477,7 +353,7 @@ func (a *Account) getPeersGroupsPoliciesRoutes(
 					default:
 						sshReqs.needAllowedUserIDs = true
 					}
-				} else if PolicyRuleImpliesLegacySSH(rule) && peerSSHEnabled {
+				} else if policyRuleImpliesLegacySSH(rule) && peerSSHEnabled {
 					sshReqs.needAllowedUserIDs = true
 				}
 			}
@@ -610,13 +486,6 @@ func (a *Account) getPostureValidPeersSaveFailed(inputPeers []string, postureChe
 	return dest
 }
 
-// filterGroupPeers trims each group's Peers slice to only those peers that
-// also appear in `peers`. Groups whose filtered list is empty are NOT
-// deleted from the map — they're kept so the components wire encoder can
-// still resolve seq references from routes/policies/access-control groups
-// that name them. Calculate() tolerates groups with empty Peers (the inner
-// loops simply iterate zero times), so retaining them is behaviourally a
-// no-op for the legacy path that consumes the same NetworkMapComponents.
 func filterGroupPeers(groups *map[string]*Group, peers map[string]*nbpeer.Peer) {
 	for groupID, groupInfo := range *groups {
 		filteredPeers := make([]string, 0, len(groupInfo.Peers))
@@ -626,7 +495,9 @@ func filterGroupPeers(groups *map[string]*Group, peers map[string]*nbpeer.Peer)
 			}
 		}
 
-		if len(filteredPeers) != len(groupInfo.Peers) {
+		if len(filteredPeers) == 0 {
+			delete(*groups, groupID)
+		} else if len(filteredPeers) != len(groupInfo.Peers) {
 			ng := groupInfo.Copy()
 			ng.Peers = filteredPeers
 			(*groups)[groupID] = ng

management/server/types/account_seq_counter.go

@@ -1,29 +0,0 @@
-package types
-
-// AccountSeqEntity identifies the kind of component that uses a per-account sequence.
-type AccountSeqEntity string
-
-const (
-	AccountSeqEntityPolicy          AccountSeqEntity = "policy"
-	AccountSeqEntityGroup           AccountSeqEntity = "group"
-	AccountSeqEntityRoute           AccountSeqEntity = "route"
-	AccountSeqEntityNetworkResource AccountSeqEntity = "network_resource"
-	AccountSeqEntityNetworkRouter   AccountSeqEntity = "network_router"
-	AccountSeqEntityNameserverGroup AccountSeqEntity = "nameserver_group"
-	AccountSeqEntityNetwork         AccountSeqEntity = "network"
-	AccountSeqEntityPostureCheck    AccountSeqEntity = "posture_check"
-)
-
-// AccountSeqCounter tracks the next per-account integer id for a given component
-// kind. Reads/writes go through the store inside the same transaction as the
-// component insert so two concurrent inserts cannot collide on the same id.
-type AccountSeqCounter struct {
-	AccountID string `gorm:"primaryKey;size:255"`
-	Entity    string `gorm:"primaryKey;size:32"`
-	NextID    uint32 `gorm:"not null;default:1"`
-}
-
-// TableName overrides the GORM-derived table name.
-func (AccountSeqCounter) TableName() string {
-	return "account_seq_counters"
-}

management/server/types/account_test.go

@@ -666,7 +666,7 @@ func Test_ExpandPortsAndRanges_SSHRuleExpansion(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := ExpandPortsAndRanges(tt.base, tt.rule, tt.peer)
+			result := expandPortsAndRanges(tt.base, tt.rule, tt.peer)
 
 			var ports []string
 			for _, fr := range result {

management/server/types/aliases.go

@@ -1,142 +0,0 @@
-package types
-
-import (
-	"context"
-	"math/rand"
-	"net"
-	"net/netip"
-
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	nbroute "github.com/netbirdio/netbird/route"
-	sharedtypes "github.com/netbirdio/netbird/shared/management/types"
-)
-
-// Type aliases for types relocated to shared/management/types so that the
-// client-side compute path can depend on them
-
-type DNSSettings = sharedtypes.DNSSettings
-
-type FirewallRule = sharedtypes.FirewallRule
-
-type Group = sharedtypes.Group
-type GroupPeer = sharedtypes.GroupPeer
-
-type Network = sharedtypes.Network
-type NetworkMap = sharedtypes.NetworkMap
-type ForwardingRule = sharedtypes.ForwardingRule
-
-type Policy = sharedtypes.Policy
-type PolicyUpdateOperation = sharedtypes.PolicyUpdateOperation
-
-type PolicyRule = sharedtypes.PolicyRule
-type PolicyUpdateOperationType = sharedtypes.PolicyUpdateOperationType
-type PolicyTrafficActionType = sharedtypes.PolicyTrafficActionType
-type PolicyRuleProtocolType = sharedtypes.PolicyRuleProtocolType
-type PolicyRuleDirection = sharedtypes.PolicyRuleDirection
-type RulePortRange = sharedtypes.RulePortRange
-
-type Resource = sharedtypes.Resource
-type ResourceType = sharedtypes.ResourceType
-
-type RouteFirewallRule = sharedtypes.RouteFirewallRule
-
-type NetworkMapComponents = sharedtypes.NetworkMapComponents
-type AccountSettingsInfo = sharedtypes.AccountSettingsInfo
-
-type GroupCompact = sharedtypes.GroupCompact
-type NetworkMapComponentsCompact = sharedtypes.NetworkMapComponentsCompact
-
-type LookupMap = sharedtypes.LookupMap
-type FirewallRuleContext = sharedtypes.FirewallRuleContext
-
-const (
-	GroupIssuedAPI         = sharedtypes.GroupIssuedAPI
-	GroupIssuedJWT         = sharedtypes.GroupIssuedJWT
-	GroupIssuedIntegration = sharedtypes.GroupIssuedIntegration
-	GroupAllName           = sharedtypes.GroupAllName
-)
-
-// Function forwarders preserve types.X(...) call sites that previously
-// resolved to package-local funcs. Plain forwarders (not var aliases) keep
-// the symbol immutable and allow the inliner to flatten the call.
-
-func PolicyRuleImpliesLegacySSH(rule *PolicyRule) bool {
-	return sharedtypes.PolicyRuleImpliesLegacySSH(rule)
-}
-
-func ExpandPortsAndRanges(base FirewallRule, rule *PolicyRule, peer *nbpeer.Peer) []*FirewallRule {
-	return sharedtypes.ExpandPortsAndRanges(base, rule, peer)
-}
-
-func AppendIPv6FirewallRule(rules []*FirewallRule, rulesExists map[string]struct{}, peer, targetPeer *nbpeer.Peer, rule *PolicyRule, rc FirewallRuleContext) []*FirewallRule {
-	return sharedtypes.AppendIPv6FirewallRule(rules, rulesExists, peer, targetPeer, rule, rc)
-}
-
-func CalculateNetworkMapFromComponents(ctx context.Context, components *NetworkMapComponents) *NetworkMap {
-	return sharedtypes.CalculateNetworkMapFromComponents(ctx, components)
-}
-
-func GenerateRouteFirewallRules(ctx context.Context, route *nbroute.Route, rule *PolicyRule, groupPeers []*nbpeer.Peer, direction int, includeIPv6 bool) []*RouteFirewallRule {
-	return sharedtypes.GenerateRouteFirewallRules(ctx, route, rule, groupPeers, direction, includeIPv6)
-}
-
-func AllocateIPv6Subnet(r *rand.Rand) net.IPNet {
-	return sharedtypes.AllocateIPv6Subnet(r)
-}
-
-func NewNetwork() *Network {
-	return sharedtypes.NewNetwork()
-}
-
-func AllocatePeerIP(prefix netip.Prefix, takenIps []netip.Addr) (netip.Addr, error) {
-	return sharedtypes.AllocatePeerIP(prefix, takenIps)
-}
-
-func AllocateRandomPeerIP(prefix netip.Prefix) (netip.Addr, error) {
-	return sharedtypes.AllocateRandomPeerIP(prefix)
-}
-
-func AllocateRandomPeerIPv6(prefix netip.Prefix) (netip.Addr, error) {
-	return sharedtypes.AllocateRandomPeerIPv6(prefix)
-}
-
-func ParseRuleString(rule string) (PolicyRuleProtocolType, RulePortRange, error) {
-	return sharedtypes.ParseRuleString(rule)
-}
-
-const (
-	FirewallRuleDirectionIN  = sharedtypes.FirewallRuleDirectionIN
-	FirewallRuleDirectionOUT = sharedtypes.FirewallRuleDirectionOUT
-)
-
-const (
-	ResourceTypePeer   = sharedtypes.ResourceTypePeer
-	ResourceTypeDomain = sharedtypes.ResourceTypeDomain
-	ResourceTypeHost   = sharedtypes.ResourceTypeHost
-	ResourceTypeSubnet = sharedtypes.ResourceTypeSubnet
-)
-
-const (
-	PolicyTrafficActionAccept = sharedtypes.PolicyTrafficActionAccept
-	PolicyTrafficActionDrop   = sharedtypes.PolicyTrafficActionDrop
-)
-
-const (
-	PolicyRuleProtocolALL        = sharedtypes.PolicyRuleProtocolALL
-	PolicyRuleProtocolTCP        = sharedtypes.PolicyRuleProtocolTCP
-	PolicyRuleProtocolUDP        = sharedtypes.PolicyRuleProtocolUDP
-	PolicyRuleProtocolICMP       = sharedtypes.PolicyRuleProtocolICMP
-	PolicyRuleProtocolNetbirdSSH = sharedtypes.PolicyRuleProtocolNetbirdSSH
-)
-
-const (
-	PolicyRuleFlowDirect   = sharedtypes.PolicyRuleFlowDirect
-	PolicyRuleFlowBidirect = sharedtypes.PolicyRuleFlowBidirect
-)
-
-const (
-	DefaultRuleName          = sharedtypes.DefaultRuleName
-	DefaultRuleDescription   = sharedtypes.DefaultRuleDescription
-	DefaultPolicyName        = sharedtypes.DefaultPolicyName
-	DefaultPolicyDescription = sharedtypes.DefaultPolicyDescription
-)

management/server/types/firewall_rule.go

@@ -47,11 +47,11 @@ func (r *FirewallRule) Equal(other *FirewallRule) bool {
 	return reflect.DeepEqual(r, other)
 }
 
-// GenerateRouteFirewallRules generates a list of firewall rules for a given route.
+// generateRouteFirewallRules generates a list of firewall rules for a given route.
 // For static routes, source ranges match the destination family (v4 or v6).
 // For dynamic routes (domain-based), separate v4 and v6 rules are generated
 // so the routing peer's forwarding chain allows both address families.
-func GenerateRouteFirewallRules(ctx context.Context, route *nbroute.Route, rule *PolicyRule, groupPeers []*nbpeer.Peer, direction int, includeIPv6 bool) []*RouteFirewallRule {
+func generateRouteFirewallRules(ctx context.Context, route *nbroute.Route, rule *PolicyRule, groupPeers []*nbpeer.Peer, direction int, includeIPv6 bool) []*RouteFirewallRule {
 	rulesExists := make(map[string]struct{})
 	rules := make([]*RouteFirewallRule, 0)
 

management/server/types/firewall_rule_test.go

@@ -57,7 +57,7 @@ func TestGenerateRouteFirewallRules_V4Route(t *testing.T) {
 		Protocol: PolicyRuleProtocolALL,
 	}
 
-	rules := GenerateRouteFirewallRules(context.Background(), r, rule, peers, FirewallRuleDirectionIN, true)
+	rules := generateRouteFirewallRules(context.Background(), r, rule, peers, FirewallRuleDirectionIN, true)
 
 	require.Len(t, rules, 1)
 	assert.Equal(t, []string{"100.64.0.1/32", "100.64.0.2/32"}, rules[0].SourceRanges, "v4 route should only have v4 sources")
@@ -86,7 +86,7 @@ func TestGenerateRouteFirewallRules_V6Route(t *testing.T) {
 		Protocol: PolicyRuleProtocolALL,
 	}
 
-	rules := GenerateRouteFirewallRules(context.Background(), r, rule, peers, FirewallRuleDirectionIN, true)
+	rules := generateRouteFirewallRules(context.Background(), r, rule, peers, FirewallRuleDirectionIN, true)
 
 	require.Len(t, rules, 1)
 	assert.Equal(t, []string{"fd00::1/128"}, rules[0].SourceRanges, "v6 route should only have v6 sources")
@@ -115,7 +115,7 @@ func TestGenerateRouteFirewallRules_DynamicRoute_DualStack(t *testing.T) {
 		Protocol: PolicyRuleProtocolALL,
 	}
 
-	rules := GenerateRouteFirewallRules(context.Background(), r, rule, peers, FirewallRuleDirectionIN, true)
+	rules := generateRouteFirewallRules(context.Background(), r, rule, peers, FirewallRuleDirectionIN, true)
 
 	require.Len(t, rules, 2, "dynamic route should produce both v4 and v6 rules")
 	assert.Equal(t, []string{"100.64.0.1/32", "100.64.0.2/32"}, rules[0].SourceRanges)
@@ -143,7 +143,7 @@ func TestGenerateRouteFirewallRules_DynamicRoute_NoV6Peers(t *testing.T) {
 		Protocol: PolicyRuleProtocolALL,
 	}
 
-	rules := GenerateRouteFirewallRules(context.Background(), r, rule, peers, FirewallRuleDirectionIN, true)
+	rules := generateRouteFirewallRules(context.Background(), r, rule, peers, FirewallRuleDirectionIN, true)
 
 	require.Len(t, rules, 1, "no v6 peers means only v4 rule")
 	assert.Equal(t, []string{"100.64.0.1/32", "100.64.0.2/32"}, rules[0].SourceRanges)
@@ -173,7 +173,7 @@ func TestGenerateRouteFirewallRules_IncludeIPv6False(t *testing.T) {
 			Protocol: PolicyRuleProtocolALL,
 		}
 
-		rules := GenerateRouteFirewallRules(context.Background(), r, rule, peers, FirewallRuleDirectionIN, false)
+		rules := generateRouteFirewallRules(context.Background(), r, rule, peers, FirewallRuleDirectionIN, false)
 		assert.Empty(t, rules, "v6 route should produce no rules when includeIPv6 is false")
 	})
 
@@ -190,7 +190,7 @@ func TestGenerateRouteFirewallRules_IncludeIPv6False(t *testing.T) {
 			Protocol: PolicyRuleProtocolALL,
 		}
 
-		rules := GenerateRouteFirewallRules(context.Background(), r, rule, peers, FirewallRuleDirectionIN, false)
+		rules := generateRouteFirewallRules(context.Background(), r, rule, peers, FirewallRuleDirectionIN, false)
 		require.Len(t, rules, 1, "dynamic route with includeIPv6=false should produce only v4 rule")
 		assert.Equal(t, []string{"100.64.0.1/32", "100.64.0.2/32"}, rules[0].SourceRanges)
 	})

management/server/types/group.go

@@ -19,10 +19,6 @@ type Group struct {
 	// AccountID is a reference to Account that this object belongs
 	AccountID string `json:"-" gorm:"index"`
 
-	// AccountSeqID is a per-account monotonically increasing identifier used as the
-	// compact wire id when sending NetworkMap components to capable peers.
-	AccountSeqID uint32 `json:"-" gorm:"index:idx_groups_account_seq_id;not null;default:0"`
-
 	// Name visible in the UI
 	Name string
 
@@ -45,14 +41,6 @@ type GroupPeer struct {
 	PeerID    string `gorm:"primaryKey"`
 }
 
-// HasSeqID reports whether the group has been persisted long enough to have a
-// per-account sequence id allocated. Wire encoders that key off AccountSeqID
-// must skip groups that return false here — otherwise multiple unpersisted
-// groups would collide on id 0.
-func (g *Group) HasSeqID() bool {
-	return g != nil && g.AccountSeqID != 0
-}
-
 func (g *Group) LoadGroupPeers() {
 	g.Peers = make([]string, len(g.GroupPeers))
 	for i, peer := range g.GroupPeers {
@@ -86,7 +74,6 @@ func (g *Group) Copy() *Group {
 	group := &Group{
 		ID:                   g.ID,
 		AccountID:            g.AccountID,
-		AccountSeqID:         g.AccountSeqID,
 		Name:                 g.Name,
 		Issued:               g.Issued,
 		Peers:                make([]string, len(g.Peers)),

management/server/types/networkmap_components.go

@@ -42,17 +42,6 @@ type NetworkMapComponents struct {
 	PostureFailedPeers map[string]map[string]struct{}
 
 	RouterPeers map[string]*nbpeer.Peer
-
-	// NetworkXIDToSeq maps Network.ID (xid) → AccountSeqID. Populated by the
-	// account-side component builder; consumed by the envelope encoder to
-	// translate RoutersMap keys and NetworkResource.NetworkID references
-	// to compact uint32 ids. Legacy Calculate() doesn't consult it.
-	NetworkXIDToSeq map[string]uint32
-
-	// PostureCheckXIDToSeq maps posture.Checks.ID (xid) → AccountSeqID.
-	// Same role as NetworkXIDToSeq, used for PostureFailedPeers keys and
-	// policy SourcePostureChecks references.
-	PostureCheckXIDToSeq map[string]uint32
 }
 
 type AccountSettingsInfo struct {
@@ -263,7 +252,7 @@ func (c *NetworkMapComponents) getPeerConnectionResources(targetPeerID string) (
 				default:
 					authorizedUsers[auth.Wildcard] = c.getAllowedUserIDs()
 				}
-			} else if peerInDestinations && PolicyRuleImpliesLegacySSH(rule) && targetPeer.SSHEnabled {
+			} else if peerInDestinations && policyRuleImpliesLegacySSH(rule) && targetPeer.SSHEnabled {
 				sshEnabled = true
 				authorizedUsers[auth.Wildcard] = c.getAllowedUserIDs()
 			}
@@ -330,15 +319,15 @@ func (c *NetworkMapComponents) connResourcesGenerator(targetPeer *nbpeer.Peer) (
 				if len(rule.Ports) == 0 && len(rule.PortRanges) == 0 {
 					rules = append(rules, &fr)
 				} else {
-					rules = append(rules, ExpandPortsAndRanges(fr, rule, targetPeer)...)
+					rules = append(rules, expandPortsAndRanges(fr, rule, targetPeer)...)
 				}
 
-				rules = AppendIPv6FirewallRule(rules, rulesExists, peer, targetPeer, rule, FirewallRuleContext{
-					Direction:   direction,
-					DirStr:      dirStr,
-					ProtocolStr: protocolStr,
-					ActionStr:   actionStr,
-					PortsJoined: portsJoined,
+				rules = appendIPv6FirewallRule(rules, rulesExists, peer, targetPeer, rule, firewallRuleContext{
+					direction:   direction,
+					dirStr:      dirStr,
+					protocolStr: protocolStr,
+					actionStr:   actionStr,
+					portsJoined: portsJoined,
 				})
 			}
 		}, func() ([]*nbpeer.Peer, []*FirewallRule) {
@@ -695,7 +684,7 @@ func (c *NetworkMapComponents) getRouteFirewallRules(ctx context.Context, peerID
 			}
 
 			rulePeers := c.getRulePeers(rule, policy.SourcePostureChecks, peerID, distributionPeers)
-			rules := GenerateRouteFirewallRules(ctx, route, rule, rulePeers, FirewallRuleDirectionIN, includeIPv6)
+			rules := generateRouteFirewallRules(ctx, route, rule, rulePeers, FirewallRuleDirectionIN, includeIPv6)
 			fwRules = append(fwRules, rules...)
 		}
 	}
@@ -964,21 +953,21 @@ func (c *NetworkMapComponents) addNetworksRoutingPeers(
 	return peersToConnect
 }
 
-type FirewallRuleContext struct {
-	Direction   int
-	DirStr      string
-	ProtocolStr string
-	ActionStr   string
-	PortsJoined string
+type firewallRuleContext struct {
+	direction   int
+	dirStr      string
+	protocolStr string
+	actionStr   string
+	portsJoined string
 }
 
-func AppendIPv6FirewallRule(rules []*FirewallRule, rulesExists map[string]struct{}, peer, targetPeer *nbpeer.Peer, rule *PolicyRule, rc FirewallRuleContext) []*FirewallRule {
+func appendIPv6FirewallRule(rules []*FirewallRule, rulesExists map[string]struct{}, peer, targetPeer *nbpeer.Peer, rule *PolicyRule, rc firewallRuleContext) []*FirewallRule {
 	if !peer.IPv6.IsValid() || !targetPeer.SupportsIPv6() || !targetPeer.IPv6.IsValid() {
 		return rules
 	}
 
 	v6IP := peer.IPv6.String()
-	v6RuleID := rule.ID + v6IP + rc.DirStr + rc.ProtocolStr + rc.ActionStr + rc.PortsJoined
+	v6RuleID := rule.ID + v6IP + rc.dirStr + rc.protocolStr + rc.actionStr + rc.portsJoined
 	if _, ok := rulesExists[v6RuleID]; ok {
 		return rules
 	}
@@ -987,12 +976,12 @@ func AppendIPv6FirewallRule(rules []*FirewallRule, rulesExists map[string]struct
 	v6fr := FirewallRule{
 		PolicyID:  rule.ID,
 		PeerIP:    v6IP,
-		Direction: rc.Direction,
-		Action:    rc.ActionStr,
-		Protocol:  rc.ProtocolStr,
+		Direction: rc.direction,
+		Action:    rc.actionStr,
+		Protocol:  rc.protocolStr,
 	}
 	if len(rule.Ports) == 0 && len(rule.PortRanges) == 0 {
 		return append(rules, &v6fr)
 	}
-	return append(rules, ExpandPortsAndRanges(v6fr, rule, targetPeer)...)
+	return append(rules, expandPortsAndRanges(v6fr, rule, targetPeer)...)
 }

management/server/types/networkmap_wire_benchmark_test.go

@@ -1,180 +0,0 @@
-package types_test
-
-import (
-	"context"
-	"crypto/rand"
-	"encoding/base64"
-	"fmt"
-	"testing"
-
-	goproto "google.golang.org/protobuf/proto"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller/cache"
-	mgmtgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
-	"github.com/netbirdio/netbird/management/server/types"
-)
-
-// wireBenchScales — trimmed scale set for wire-size measurements. Encoding
-// and marshalling are linear, so the largest extremes don't add signal.
-var wireBenchScales = []benchmarkScale{
-	{"100peers_5groups", 100, 5},
-	{"500peers_20groups", 500, 20},
-	{"1000peers_50groups", 1000, 50},
-	{"5000peers_100groups", 5000, 100},
-}
-
-// populateAccountSeqIDs assigns deterministic AccountSeqIDs to every group and
-// policy in the account so that the component encoder can reference them. The
-// scalableTestAccount fixture builds entities by struct literal and skips this
-// step, but production paths populate the IDs via the store layer.
-func populateAccountSeqIDs(account *types.Account) {
-	var nextGroupSeq uint32 = 1
-	for _, g := range account.Groups {
-		g.AccountSeqID = nextGroupSeq
-		nextGroupSeq++
-	}
-	var nextPolicySeq uint32 = 1
-	for _, p := range account.Policies {
-		p.AccountSeqID = nextPolicySeq
-		nextPolicySeq++
-	}
-}
-
-// assignValidWgKeys overwrites every peer's Key with a valid base64-encoded
-// 32-byte string. The default scalableTestAccount uses unparsable strings
-// like "key-peer-0", which makes the components encoder emit a nil WgPubKey
-// and the legacy encoder ship 10-char placeholders — both shrink the wire
-// size in unrealistic ways. Production peers always have valid 44-char base64
-// keys, so any benchmark/breakdown that wants honest numbers must call this.
-func assignValidWgKeys(account *types.Account) {
-	for _, p := range account.Peers {
-		var raw [32]byte
-		_, _ = rand.Read(raw[:])
-		p.Key = base64.StdEncoding.EncodeToString(raw[:])
-	}
-}
-
-// BenchmarkNetworkMapWireEncode reports per-call ns and the marshaled wire
-// size for both encoding paths. Run with:
-//
-//	go test -run=^$ -bench=BenchmarkNetworkMapWireEncode -benchmem ./management/server/types/
-func BenchmarkNetworkMapWireEncode(b *testing.B) {
-	skipCIBenchmark(b)
-
-	for _, scale := range wireBenchScales {
-		account, validatedPeers := scalableTestAccount(scale.peers, scale.groups)
-		populateAccountSeqIDs(account)
-		assignValidWgKeys(account)
-
-		ctx := context.Background()
-		resourcePolicies := account.GetResourcePoliciesMap()
-		routers := account.GetResourceRoutersMap()
-		groupIDToUserIDs := account.GetActiveGroupUsers()
-
-		peerID := "peer-0"
-		peer := account.Peers[peerID]
-
-		networkMap := account.GetPeerNetworkMapFromComponents(ctx, peerID, nbdns.CustomZone{}, nil, validatedPeers, resourcePolicies, routers, nil, groupIDToUserIDs)
-		components := account.GetPeerNetworkMapComponents(ctx, peerID, nbdns.CustomZone{}, nil, validatedPeers, resourcePolicies, routers, groupIDToUserIDs)
-
-		dnsCache := &cache.DNSConfigCache{}
-		settings := &types.Settings{}
-
-		// Pre-encode once so the size metric is identical for every run inside
-		// the same scale; the b.Loop call only re-runs encode + Marshal.
-		legacyResp := mgmtgrpc.ToSyncResponse(ctx, nil, nil, nil, peer, nil, nil, networkMap, "netbird.cloud", nil, dnsCache, settings, nil, nil, 0)
-		legacyBytes, err := goproto.Marshal(legacyResp.NetworkMap)
-		if err != nil {
-			b.Fatalf("marshal legacy networkmap: %v", err)
-		}
-
-		envelopeInput := mgmtgrpc.ComponentsEnvelopeInput{
-			Components: components,
-			PeerConfig: legacyResp.NetworkMap.PeerConfig,
-			DNSDomain:  "netbird.cloud",
-		}
-		envelope := mgmtgrpc.EncodeNetworkMapEnvelope(envelopeInput)
-		envelopeBytes, err := goproto.Marshal(envelope)
-		if err != nil {
-			b.Fatalf("marshal envelope: %v", err)
-		}
-
-		b.Run(fmt.Sprintf("legacy/%s", scale.name), func(b *testing.B) {
-			b.ReportAllocs()
-			b.ReportMetric(float64(len(legacyBytes)), "bytes/msg")
-			b.ResetTimer()
-			for range b.N {
-				resp := mgmtgrpc.ToSyncResponse(ctx, nil, nil, nil, peer, nil, nil, networkMap, "netbird.cloud", nil, dnsCache, settings, nil, nil, 0)
-				if _, err := goproto.Marshal(resp.NetworkMap); err != nil {
-					b.Fatal(err)
-				}
-			}
-		})
-
-		b.Run(fmt.Sprintf("components/%s", scale.name), func(b *testing.B) {
-			b.ReportAllocs()
-			b.ReportMetric(float64(len(envelopeBytes)), "bytes/msg")
-			b.ResetTimer()
-			for range b.N {
-				env := mgmtgrpc.EncodeNetworkMapEnvelope(envelopeInput)
-				if _, err := goproto.Marshal(env); err != nil {
-					b.Fatal(err)
-				}
-			}
-		})
-	}
-}
-
-// BenchmarkNetworkMapWireSize is a fast snapshot of the wire size by scale
-// without a tight encode loop. Run with -bench to see one ns/op + bytes per
-// scale (treat the timing as informational; the sample is one Marshal per
-// scale, not the full b.N loop).
-func BenchmarkNetworkMapWireSize(b *testing.B) {
-	skipCIBenchmark(b)
-
-	for _, scale := range wireBenchScales {
-		account, validatedPeers := scalableTestAccount(scale.peers, scale.groups)
-		populateAccountSeqIDs(account)
-		assignValidWgKeys(account)
-
-		ctx := context.Background()
-		resourcePolicies := account.GetResourcePoliciesMap()
-		routers := account.GetResourceRoutersMap()
-		groupIDToUserIDs := account.GetActiveGroupUsers()
-
-		peerID := "peer-0"
-		peer := account.Peers[peerID]
-
-		networkMap := account.GetPeerNetworkMapFromComponents(ctx, peerID, nbdns.CustomZone{}, nil, validatedPeers, resourcePolicies, routers, nil, groupIDToUserIDs)
-		components := account.GetPeerNetworkMapComponents(ctx, peerID, nbdns.CustomZone{}, nil, validatedPeers, resourcePolicies, routers, groupIDToUserIDs)
-
-		dnsCache := &cache.DNSConfigCache{}
-		settings := &types.Settings{}
-
-		legacyResp := mgmtgrpc.ToSyncResponse(ctx, nil, nil, nil, peer, nil, nil, networkMap, "netbird.cloud", nil, dnsCache, settings, nil, nil, 0)
-		legacyBytes, err := goproto.Marshal(legacyResp.NetworkMap)
-		if err != nil {
-			b.Fatalf("marshal legacy networkmap: %v", err)
-		}
-
-		env := mgmtgrpc.EncodeNetworkMapEnvelope(mgmtgrpc.ComponentsEnvelopeInput{
-			Components: components,
-			PeerConfig: legacyResp.NetworkMap.PeerConfig,
-			DNSDomain:  "netbird.cloud",
-		})
-		envBytes, err := goproto.Marshal(env)
-		if err != nil {
-			b.Fatalf("marshal envelope: %v", err)
-		}
-
-		b.Run(fmt.Sprintf("size/%s", scale.name), func(b *testing.B) {
-			b.ReportMetric(float64(len(legacyBytes)), "legacy_bytes")
-			b.ReportMetric(float64(len(envBytes)), "components_bytes")
-			ratio := float64(len(envBytes)) / float64(len(legacyBytes))
-			b.ReportMetric(ratio, "components/legacy")
-			for range b.N {
-			}
-		})
-	}
-}

management/server/types/networkmap_wire_breakdown_test.go

@@ -1,150 +0,0 @@
-package types_test
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"testing"
-
-	goproto "google.golang.org/protobuf/proto"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller/cache"
-	mgmtgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// TestNetworkMapWireBreakdown is a one-shot diagnostic: it computes the wire
-// size attributable to each top-level field of both the legacy NetworkMap and
-// the components NetworkMapEnvelope at the 5000-peer scale, so the migration
-// docs can attribute the size reduction to each optimization. Runs only on
-// demand via -run TestNetworkMapWireBreakdown.
-func TestNetworkMapWireBreakdown(t *testing.T) {
-	if testing.Short() {
-		t.Skip("size diagnostic, skipped with -short")
-	}
-	if os.Getenv("NB_RUN_WIRE_BREAKDOWN") != "1" {
-		t.Skip("set NB_RUN_WIRE_BREAKDOWN=1 to run wire breakdown diagnostic")
-	}
-
-	const peerCount, groupCount = 5000, 100
-	account, validatedPeers := scalableTestAccount(peerCount, groupCount)
-	populateAccountSeqIDs(account)
-	assignValidWgKeys(account)
-
-	ctx := context.Background()
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	peerID := "peer-0"
-	peer := account.Peers[peerID]
-	networkMap := account.GetPeerNetworkMapFromComponents(ctx, peerID, nbdns.CustomZone{}, nil, validatedPeers, resourcePolicies, routers, nil, groupIDToUserIDs)
-	components := account.GetPeerNetworkMapComponents(ctx, peerID, nbdns.CustomZone{}, nil, validatedPeers, resourcePolicies, routers, groupIDToUserIDs)
-
-	dnsCache := &cache.DNSConfigCache{}
-	settings := &types.Settings{}
-
-	legacyResp := mgmtgrpc.ToSyncResponse(ctx, nil, nil, nil, peer, nil, nil, networkMap, "netbird.cloud", nil, dnsCache, settings, nil, nil, 0)
-	legacyTotal := mustMarshalSize(t, legacyResp.NetworkMap)
-
-	envelope := mgmtgrpc.EncodeNetworkMapEnvelope(mgmtgrpc.ComponentsEnvelopeInput{
-		Components: components,
-		PeerConfig: legacyResp.NetworkMap.PeerConfig,
-		DNSDomain:  "netbird.cloud",
-	})
-	componentsTotal := mustMarshalSize(t, envelope)
-
-	t.Logf("\n=== LEGACY NetworkMap (%d peers, %d groups) ===", peerCount, groupCount)
-	t.Logf("  Total: %d bytes\n", legacyTotal)
-
-	legacyBreakdown := []struct {
-		name string
-		nm   *proto.NetworkMap
-	}{
-		{"RemotePeers", &proto.NetworkMap{RemotePeers: legacyResp.NetworkMap.RemotePeers}},
-		{"OfflinePeers", &proto.NetworkMap{OfflinePeers: legacyResp.NetworkMap.OfflinePeers}},
-		{"FirewallRules", &proto.NetworkMap{FirewallRules: legacyResp.NetworkMap.FirewallRules}},
-		{"Routes", &proto.NetworkMap{Routes: legacyResp.NetworkMap.Routes}},
-		{"RoutesFirewallRules", &proto.NetworkMap{RoutesFirewallRules: legacyResp.NetworkMap.RoutesFirewallRules}},
-		{"DNSConfig", &proto.NetworkMap{DNSConfig: legacyResp.NetworkMap.DNSConfig}},
-		{"PeerConfig", &proto.NetworkMap{PeerConfig: legacyResp.NetworkMap.PeerConfig}},
-		{"SshAuth", &proto.NetworkMap{SshAuth: legacyResp.NetworkMap.SshAuth}},
-	}
-	for _, e := range legacyBreakdown {
-		size := mustMarshalSize(t, e.nm)
-		t.Logf("  %-22s %8d bytes  %5.1f%%", e.name, size, pct(size, legacyTotal))
-	}
-
-	full := envelope.GetFull()
-	if full == nil {
-		t.Fatalf("expected full network map envelope payload, got nil")
-	}
-	t.Logf("\n=== COMPONENTS NetworkMapEnvelope (%d peers, %d groups) ===", peerCount, groupCount)
-	t.Logf("  Total: %d bytes  (%.1f%% of legacy)\n", componentsTotal, pct(componentsTotal, legacyTotal))
-
-	componentsBreakdown := []struct {
-		name string
-		nm   *proto.NetworkMapComponentsFull
-	}{
-		{"Peers", &proto.NetworkMapComponentsFull{Peers: full.Peers}},
-		{"Policies", &proto.NetworkMapComponentsFull{Policies: full.Policies}},
-		{"Groups", &proto.NetworkMapComponentsFull{Groups: full.Groups}},
-		{"Routes (raw)", &proto.NetworkMapComponentsFull{Routes: full.Routes}},
-		{"NameServerGroups", &proto.NetworkMapComponentsFull{NameserverGroups: full.NameserverGroups}},
-		{"AllDNSRecords", &proto.NetworkMapComponentsFull{AllDnsRecords: full.AllDnsRecords}},
-		{"AccountZones", &proto.NetworkMapComponentsFull{AccountZones: full.AccountZones}},
-		{"NetworkResources", &proto.NetworkMapComponentsFull{NetworkResources: full.NetworkResources}},
-		{"RoutersMap", &proto.NetworkMapComponentsFull{RoutersMap: full.RoutersMap}},
-		{"ResourcePoliciesMap", &proto.NetworkMapComponentsFull{ResourcePoliciesMap: full.ResourcePoliciesMap}},
-		{"GroupIDToUserIDs", &proto.NetworkMapComponentsFull{GroupIdToUserIds: full.GroupIdToUserIds}},
-		{"AllowedUserIDs", &proto.NetworkMapComponentsFull{AllowedUserIds: full.AllowedUserIds}},
-		{"PostureFailedPeers", &proto.NetworkMapComponentsFull{PostureFailedPeers: full.PostureFailedPeers}},
-		{"DNSSettings", &proto.NetworkMapComponentsFull{DnsSettings: full.DnsSettings}},
-		{"PeerConfig", &proto.NetworkMapComponentsFull{PeerConfig: full.PeerConfig}},
-		{"AgentVersions", &proto.NetworkMapComponentsFull{AgentVersions: full.AgentVersions}},
-	}
-	for _, e := range componentsBreakdown {
-		size := mustMarshalSize(t, e.nm)
-		t.Logf("  %-22s %8d bytes  %5.1f%%", e.name, size, pct(size, componentsTotal))
-	}
-
-	t.Logf("\n=== Per-PeerCompact average ===")
-	if len(full.Peers) > 0 {
-		t.Logf("  PeerCompact avg: %d bytes/peer", mustMarshalSize(t, &proto.NetworkMapComponentsFull{Peers: full.Peers})/len(full.Peers))
-	}
-	if len(legacyResp.NetworkMap.RemotePeers) > 0 {
-		t.Logf("  RemotePeer avg:  %d bytes/peer",
-			mustMarshalSize(t, &proto.NetworkMap{RemotePeers: legacyResp.NetworkMap.RemotePeers})/len(legacyResp.NetworkMap.RemotePeers))
-	}
-
-	t.Logf("\n=== FirewallRule expansion footprint ===")
-	t.Logf("  legacy FirewallRules count: %d", len(legacyResp.NetworkMap.FirewallRules))
-	t.Logf("  components Policies count:  %d", len(full.Policies))
-	t.Logf("  components Groups count:    %d", len(full.Groups))
-
-	totalGroupPeerIdxs := 0
-	for _, g := range full.Groups {
-		totalGroupPeerIdxs += len(g.PeerIndexes)
-	}
-	t.Logf("  components peer-index refs across all groups: %d", totalGroupPeerIdxs)
-}
-
-func mustMarshalSize(t *testing.T, m goproto.Message) int {
-	b, err := goproto.Marshal(m)
-	if err != nil {
-		t.Fatalf("marshal: %v", err)
-	}
-	return len(b)
-}
-
-func pct(part, total int) float64 {
-	if total == 0 {
-		return 0
-	}
-	return 100 * float64(part) / float64(total)
-}
-
-// Stops fmt being unused if the breakdown loop above is later commented out.
-var _ = fmt.Sprintf

management/server/types/peer_networkmap_result.go

@@ -1,25 +0,0 @@
-package types
-
-// PeerNetworkMapResult is what the network_map controller produces for a
-// single peer. Exactly one of NetworkMap or Components is populated depending
-// on the peer's capability:
-//
-//   - Components-capable peers (PeerCapabilityComponentNetworkMap) get
-//     Components: the raw types.NetworkMapComponents the client decodes and
-//     runs Calculate() on locally. NetworkMap stays nil — the server skips
-//     the expansion entirely.
-//   - Legacy peers (or any peer when the kill switch is set) get NetworkMap:
-//     the fully-expanded view the legacy gRPC path consumes.
-//
-// The gRPC layer (ToSyncResponseForPeer) dispatches by which field is
-// non-nil; callers must not rely on both being set.
-type PeerNetworkMapResult struct {
-	NetworkMap *NetworkMap
-	Components *NetworkMapComponents
-}
-
-// IsComponents reports whether the result carries the components shape.
-// Use this in preference to direct nil checks on the fields.
-func (r PeerNetworkMapResult) IsComponents() bool {
-	return r.Components != nil
-}

management/server/types/peer_networkmap_result_test.go

@@ -1,104 +0,0 @@
-package types_test
-
-import (
-	"context"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/types"
-)
-
-// helper: marks the given peer as components-capable.
-func markCapable(p *nbpeer.Peer) {
-	p.Meta.Capabilities = append(p.Meta.Capabilities, nbpeer.PeerCapabilityComponentNetworkMap)
-}
-
-func TestGetPeerNetworkMapResult_CapablePeerGetsComponents(t *testing.T) {
-	account, validatedPeers := scalableTestAccount(10, 2)
-	markCapable(account.Peers["peer-0"])
-
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	result := account.GetPeerNetworkMapResult(
-		context.Background(),
-		"peer-0",
-		false, // componentsDisabled
-		nbdns.CustomZone{},
-		nil,
-		validatedPeers,
-		resourcePolicies,
-		routers,
-		nil,
-		groupIDToUserIDs,
-	)
-
-	require.True(t, result.IsComponents(), "capable peer must get the components shape")
-	assert.Nil(t, result.NetworkMap)
-	require.NotNil(t, result.Components)
-	assert.Equal(t, "peer-0", result.Components.PeerID)
-}
-
-func TestGetPeerNetworkMapResult_LegacyPeerGetsNetworkMap(t *testing.T) {
-	account, validatedPeers := scalableTestAccount(10, 2)
-	// peer-0 left without the component capability
-
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	result := account.GetPeerNetworkMapResult(
-		context.Background(),
-		"peer-0",
-		false,
-		nbdns.CustomZone{},
-		nil,
-		validatedPeers,
-		resourcePolicies,
-		routers,
-		nil,
-		groupIDToUserIDs,
-	)
-
-	assert.False(t, result.IsComponents())
-	assert.Nil(t, result.Components)
-	require.NotNil(t, result.NetworkMap, "legacy peer must get a NetworkMap")
-}
-
-func TestGetPeerNetworkMapResult_KillSwitchOverridesCapability(t *testing.T) {
-	// Capable peer + componentsDisabled=true → falls back to legacy.
-	account, validatedPeers := scalableTestAccount(10, 2)
-	markCapable(account.Peers["peer-0"])
-
-	resourcePolicies := account.GetResourcePoliciesMap()
-	routers := account.GetResourceRoutersMap()
-	groupIDToUserIDs := account.GetActiveGroupUsers()
-
-	result := account.GetPeerNetworkMapResult(
-		context.Background(),
-		"peer-0",
-		true, // componentsDisabled = true (kill switch)
-		nbdns.CustomZone{},
-		nil,
-		validatedPeers,
-		resourcePolicies,
-		routers,
-		nil,
-		groupIDToUserIDs,
-	)
-
-	assert.False(t, result.IsComponents(), "kill switch must force legacy NetworkMap path")
-	assert.Nil(t, result.Components)
-	require.NotNil(t, result.NetworkMap)
-}
-
-func TestPeerNetworkMapResult_IsComponents(t *testing.T) {
-	assert.True(t, types.PeerNetworkMapResult{Components: &types.NetworkMapComponents{}}.IsComponents())
-	assert.False(t, types.PeerNetworkMapResult{NetworkMap: &types.NetworkMap{}}.IsComponents())
-	assert.False(t, types.PeerNetworkMapResult{}.IsComponents())
-}

management/server/types/policy.go

@@ -59,10 +59,6 @@ type Policy struct {
 	// AccountID is a reference to Account that this object belongs
 	AccountID string `json:"-" gorm:"index"`
 
-	// AccountSeqID is a per-account monotonically increasing identifier used as the
-	// compact wire id when sending NetworkMap components to capable peers.
-	AccountSeqID uint32 `json:"-" gorm:"index:idx_policies_account_seq_id;not null;default:0"`
-
 	// Name of the Policy
 	Name string
 
@@ -79,19 +75,11 @@ type Policy struct {
 	SourcePostureChecks []string `gorm:"serializer:json"`
 }
 
-// HasSeqID reports whether the policy has been persisted long enough to have
-// a per-account sequence id allocated. Wire encoders that key off
-// AccountSeqID must skip policies that return false here.
-func (p *Policy) HasSeqID() bool {
-	return p != nil && p.AccountSeqID != 0
-}
-
 // Copy returns a copy of the policy.
 func (p *Policy) Copy() *Policy {
 	c := &Policy{
 		ID:                  p.ID,
 		AccountID:           p.AccountID,
-		AccountSeqID:        p.AccountSeqID,
 		Name:                p.Name,
 		Description:         p.Description,
 		Enabled:             p.Enabled,