do in-memory meta update

.github/workflows/check-license-dependencies.yml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -59,12 +59,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Set up Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
           cache: true

.github/workflows/git-town.yml

@@ -15,7 +15,7 @@ jobs:
       pull-requests: write
 
     steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - uses: git-town/action@3d8b878379abb1ee393fb49865a28b4a6c2cd3b0 # v1.2.1

.github/workflows/golang-test-darwin.yml

@@ -16,12 +16,12 @@ jobs:
     runs-on: macos-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
           cache: false
@@ -48,7 +48,7 @@ jobs:
         run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -coverprofile=coverage.txt -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
 
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f #v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: netbirdio/netbird

.github/workflows/golang-test-freebsd.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -28,7 +28,7 @@ jobs:
         id: test
         env:
           GO_VERSION: ${{ steps.goversion.outputs.version }}
-        uses: vmactions/freebsd-vm@b84ab5559b5a1bb4b8ee2737d2506a16e1737636 # v1.4.8
+        uses: vmactions/freebsd-vm@d1e65811565151536c0c894fff74f06351ed26e6 # v1.4.5
         with:
           usesh: true
           copyback: false

.github/workflows/golang-test-linux.yml

@@ -18,7 +18,7 @@ jobs:
       management: ${{ steps.filter.outputs.management }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -30,7 +30,7 @@ jobs:
               - 'management/**'
 
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
           cache: false
@@ -119,12 +119,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
           cache: false
@@ -162,7 +162,7 @@ jobs:
 
       - name: Upload coverage reports to Codecov
         if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f #v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: netbirdio/netbird
@@ -175,12 +175,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
           cache: false
@@ -246,12 +246,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
           cache: false
@@ -290,7 +290,7 @@ jobs:
 
       - name: Upload coverage reports to Codecov
         if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f #v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: netbirdio/netbird
@@ -306,12 +306,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
           cache: false
@@ -347,7 +347,7 @@ jobs:
 
       - name: Upload coverage reports to Codecov
         if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f #v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: netbirdio/netbird
@@ -363,12 +363,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
           cache: false
@@ -407,7 +407,7 @@ jobs:
 
       - name: Upload coverage reports to Codecov
         if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f #v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: netbirdio/netbird
@@ -424,12 +424,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
           cache: false
@@ -484,7 +484,7 @@ jobs:
 
       - name: Upload coverage reports to Codecov
         if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f #v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: netbirdio/netbird
@@ -529,12 +529,12 @@ jobs:
             prom/prometheus
 
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
           cache: false
@@ -623,12 +623,12 @@ jobs:
             prom/prometheus
 
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
           cache: false
@@ -692,12 +692,12 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
           cache: false
@@ -734,7 +734,7 @@ jobs:
 
       - name: Upload coverage reports to Codecov
         if: matrix.arch == 'amd64'
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f #v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: netbirdio/netbird

.github/workflows/golang-test-windows.yml

@@ -18,12 +18,12 @@ jobs:
     runs-on: windows-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         id: go
         with:
           go-version-file: "go.mod"

.github/workflows/golangci-lint.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: codespell
@@ -40,7 +40,7 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Check for duplicate constants
@@ -48,7 +48,7 @@ jobs:
         run: |
           ! awk '/const \(/,/)/{print $0}' management/server/activity/codes.go | grep -o '= [0-9]*' | sort | uniq -d | grep .
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
           cache: false

.github/workflows/install-script-test.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 

.github/workflows/mobile-build-validation.yml

@@ -16,11 +16,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
       - name: Setup Android SDK
@@ -28,7 +28,7 @@ jobs:
         with:
           cmdline-tools-version: 8512546
       - name: Setup Java
-        uses: actions/setup-java@ad2b38190b15e4d6bdf0c97fb4fca8412226d287
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
         with:
           java-version: "11"
           distribution: "adopt"
@@ -54,11 +54,11 @@ jobs:
     runs-on: macos-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
       - name: install gomobile

.github/workflows/release.yml

@@ -9,13 +9,10 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.1.6"
-  GORELEASER_VER: "v2.16.0"
+  SIGN_PIPE_VER: "v0.1.5"
+  GORELEASER_VER: "v2.14.3"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"
-  flags: ""
-  SKIP_PUBLISH: "true"
-  SKIP_DOCKER_PUSH: "false"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -27,7 +24,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -64,7 +61,7 @@ jobs:
         if: steps.check_diff.outputs.diff_exists == 'true'
         env:
           GO_VERSION: ${{ steps.goversion.outputs.version }}
-        uses: vmactions/freebsd-vm@b84ab5559b5a1bb4b8ee2737d2506a16e1737636 # v1.4.8
+        uses: vmactions/freebsd-vm@d1e65811565151536c0c894fff74f06351ed26e6 # v1.4.5
         with:
           usesh: true
           copyback: false
@@ -133,9 +130,11 @@ jobs:
       windows_packages_artifact_url: ${{ steps.upload_windows_packages.outputs.artifact-url }}
       macos_packages_artifact_url: ${{ steps.upload_macos_packages.outputs.artifact-url }}
       ghcr_images: ${{ steps.tag_and_push_images.outputs.images_markdown }}
+    env:
+      flags: ""
     steps:
       - name: Checkout
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0 # It is required for GoReleaser to work properly
           persist-credentials: false
@@ -144,29 +143,10 @@ jobs:
         id: semver_parser
         uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
 
-      - name: Set snapshot flag
-        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
-        run: | 
-          echo "flags=--snapshot" >> $GITHUB_ENV
-
-      - name: Set build vars
-        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-        run: |
-          if [[ "x-${{ steps.semver_parser.outputs.prerelease }}" == "x-" && "x-${{ github.repository }}" == "x-netbirdio/netbird" ]]; then
-            echo "x-${{ github.repository }}" 
-            echo "x-${{ steps.semver_parser.outputs.prerelease }}"
-            echo "SKIP_PUBLISH=false" >> $GITHUB_ENV
-          else
-            echo "x-${{ github.repository }}" 
-            echo "x-${{ steps.semver_parser.outputs.prerelease }}"
-          fi
-          
-          if [[ "x-${{ github.repository }}" != "x-netbirdio/netbird" ]]; then
-            echo "SKIP_DOCKER_PUSH=true" >> $GITHUB_ENV
-          fi
-
+      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+        run: echo "flags=--snapshot" >> $GITHUB_ENV
       - name: Set up Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
           cache: false
@@ -186,9 +166,9 @@ jobs:
       - name: check git status
         run: git --no-pager diff --exit-code
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 #v4.1.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 #v4.1.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
       - name: Login to Docker hub
         if: github.event_name != 'pull_request'
         uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
@@ -221,7 +201,7 @@ jobs:
         run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
       - name: Run GoReleaser
         id: goreleaser
-        uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
+        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
         with:
           version: ${{ env.GORELEASER_VER }}
           args: release --clean ${{ env.flags }}
@@ -232,8 +212,6 @@ jobs:
           UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
           GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
           NFPM_NETBIRD_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
-          SKIP_PUBLISH: ${{ env.SKIP_PUBLISH }}
-          SKIP_DOCKER_PUSH: ${{ env.SKIP_DOCKER_PUSH }}
       - name: Verify RPM signatures
         run: |
           docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
@@ -347,7 +325,7 @@ jobs:
       release_ui_artifact_url: ${{ steps.upload_release_ui.outputs.artifact-url }}
     steps:
       - name: Checkout
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0 # It is required for GoReleaser to work properly
           persist-credentials: false
@@ -356,25 +334,11 @@ jobs:
         id: semver_parser
         uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
 
-      - name: Set snapshot flag
-        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
-        run: |
-          echo "flags=--snapshot" >> $GITHUB_ENV
-
-      - name: Set build vars
-        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-        run: |
-          if [[ "x-${{ steps.semver_parser.outputs.prerelease }}" == "x-" && "x-${{ github.repository }}" == "x-netbirdio/netbird" ]]; then
-            echo "x-${{ github.repository }}" 
-            echo "x-${{ steps.semver_parser.outputs.prerelease }}"
-            echo "SKIP_PUBLISH=false" >> $GITHUB_ENV
-          else
-            echo "x-${{ github.repository }}" 
-            echo "x-${{ steps.semver_parser.outputs.prerelease }}"
-          fi
+      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+        run: echo "flags=--snapshot" >> $GITHUB_ENV
 
       - name: Set up Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
           cache: false
@@ -420,7 +384,7 @@ jobs:
         run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_arm64.syso
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
+        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
         with:
           version: ${{ env.GORELEASER_VER }}
           args: release --config .goreleaser_ui.yaml --clean ${{ env.flags }}
@@ -431,7 +395,6 @@ jobs:
           UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
           GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
           NFPM_NETBIRD_UI_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
-          SKIP_PUBLISH: ${{ env.SKIP_PUBLISH }}
       - name: Verify RPM signatures
         run: |
           docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
@@ -464,12 +427,12 @@ jobs:
       - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
         run: echo "flags=--snapshot" >> $GITHUB_ENV
       - name: Checkout
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0 # It is required for GoReleaser to work properly
           persist-credentials: false
       - name: Set up Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
           cache: false
@@ -488,7 +451,7 @@ jobs:
         run: git --no-pager diff --exit-code
       - name: Run GoReleaser
         id: goreleaser
-        uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
+        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
         with:
           version: ${{ env.GORELEASER_VER }}
           args: release --config .goreleaser_ui_darwin.yaml --clean ${{ env.flags }}
@@ -522,7 +485,7 @@ jobs:
       downloadPath: '${{ github.workspace }}\temp'
     steps:
       - name: Checkout
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -534,13 +497,13 @@ jobs:
         run: echo "C:\Program Files\7-Zip" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
 
       - name: Download release artifacts
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.1
         with:
           name: release
           path: release
 
       - name: Download UI release artifacts
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.1
         with:
           name: release-ui
           path: release-ui

.github/workflows/test-infrastructure-files.yml

@@ -68,12 +68,12 @@ jobs:
         run: sudo apt-get install -y curl
 
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
 
@@ -207,7 +207,7 @@ jobs:
       - name: Build management docker image
         working-directory: management
         run: |
-          docker build -t netbirdio/management:latest --build-arg TARGETPLATFORM=. .
+          docker build -t netbirdio/management:latest .
 
       - name: Build signal binary
         working-directory: signal
@@ -216,7 +216,7 @@ jobs:
       - name: Build signal docker image
         working-directory: signal
         run: |
-          docker build -t netbirdio/signal:latest --build-arg TARGETPLATFORM=. .
+          docker build -t netbirdio/signal:latest .
 
       - name: Build relay binary
         working-directory: relay
@@ -225,7 +225,7 @@ jobs:
       - name: Build relay docker image
         working-directory: relay
         run: |
-          docker build -t netbirdio/relay:latest --build-arg TARGETPLATFORM=. .
+          docker build -t netbirdio/relay:latest .
 
       - name: run docker compose up
         working-directory: infrastructure_files/artifacts
@@ -256,7 +256,7 @@ jobs:
         run: sudo apt-get install -y jq
 
       - name: Checkout code
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 

.github/workflows/wasm-build-validation.yml

@@ -19,11 +19,11 @@ jobs:
       GOARCH: wasm
     steps:
       - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
       - name: Install dependencies
@@ -44,11 +44,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Install Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: "go.mod"
       - name: Build Wasm client

.goreleaser.yaml

@@ -1,7 +1,5 @@
 version: 2
-env:
-  - SKIP_PUBLISH={{ if index .Env "SKIP_PUBLISH" }}{{ .Env.SKIP_PUBLISH }}{{ else }}true{{ end }}
-  - SKIP_DOCKER_PUSH={{ if index .Env "SKIP_DOCKER_PUSH" }}{{ .Env.SKIP_DOCKER_PUSH }}{{ else }}false{{ end }}
+
 project_name: netbird
 builds:
   - id: netbird-wasm
@@ -76,8 +74,6 @@ builds:
       - amd64
       - arm64
       - arm
-    goarm:
-      - 7
     ldflags:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -92,8 +88,6 @@ builds:
       - amd64
       - arm64
       - arm
-    goarm:
-      - 7
     ldflags:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -108,8 +102,6 @@ builds:
       - amd64
       - arm64
       - arm
-    goarm:
-      - 7
     ldflags:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -130,8 +122,6 @@ builds:
       - amd64
       - arm64
       - arm
-    goarm:
-      - 7
     ldflags:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -146,8 +136,6 @@ builds:
       - amd64
       - arm64
       - arm
-    goarm:
-      - 7
     ldflags:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -162,8 +150,6 @@ builds:
       - amd64
       - arm64
       - arm
-    goarm:
-      - 7
     ldflags:
       - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -184,8 +170,6 @@ builds:
       - amd64
       - arm64
       - arm
-    goarm:
-      - 7
     ldflags:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -238,192 +222,670 @@ nfpms:
     rpm:
       signature:
         key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'
-dockers_v2:
-   - id: netbird
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
-     ids:
-       - netbird
-     images:
-       - netbirdio/netbird
-       - ghcr.io/netbirdio/netbird
-     tags:
-       - "{{ .Version }}"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
-     dockerfile: client/Dockerfile
-     extra_files:
-       - client/netbird-entrypoint.sh
-     platforms:
-       - linux/amd64
-       - linux/arm64
-       - linux/arm/6
-     annotations:
-       "org.opencontainers.image.created": "{{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
-       "maintainer": "dev@netbird.io"
-   - id: netbird-rootless
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
-     ids:
-       - netbird
-     images:
-       - netbirdio/netbird
-       - ghcr.io/netbirdio/netbird
-     tags:
-       - "v{{ .Version }}-rootless"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
-     dockerfile: client/Dockerfile-rootless
-     extra_files:
-       - client/netbird-entrypoint.sh
-     platforms:
-       - linux/amd64
-       - linux/arm64
-       - linux/arm/6
-     annotations:
-       "org.opencontainers.image.created": "{{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
-       "maintainer": "dev@netbird.io"
-   - id: relay
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
-     ids:
-       - netbird-relay
-     images:
-       - netbirdio/relay
-       - ghcr.io/netbirdio/relay
-     tags:
-       - "{{ .Version }}"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
-     dockerfile: relay/Dockerfile
-     platforms:
-       - linux/amd64
-       - linux/arm64
-       - linux/arm
-     annotations:
-       "org.opencontainers.image.created": "{{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
-       "maintainer": "dev@netbird.io"
-   - id: signal
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
-     ids:
-       - netbird-signal
-     images:
-       - netbirdio/signal
-       - ghcr.io/netbirdio/signal
-     tags:
-       - "{{ .Version }}"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
-     dockerfile: signal/Dockerfile
-     platforms:
-       - linux/amd64
-       - linux/arm64
-       - linux/arm
-     annotations:
-       "org.opencontainers.image.created": "{{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
-       "maintainer": "dev@netbird.io"
-   - id: management
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
-     ids:
-       - netbird-mgmt
-     images:
-       - netbirdio/management
-       - ghcr.io/netbirdio/management
-     tags:
-       - "{{ .Version }}"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
-     dockerfile: management/Dockerfile
-     platforms:
-       - linux/amd64
-       - linux/arm64
-       - linux/arm
-     annotations:
-       "org.opencontainers.image.created": "{{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
-       "maintainer": "dev@netbird.io"
-   - id: upload
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
-     ids:
-       - netbird-upload
-     images:
-       - netbirdio/upload
-       - ghcr.io/netbirdio/upload
-     tags:
-       - "{{ .Version }}"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
-     dockerfile: upload-server/Dockerfile
-     platforms:
-       - linux/amd64
-       - linux/arm64
-       - linux/arm
-     annotations:
-       "org.opencontainers.image.created": "{{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
-       "maintainer": "dev@netbird.io"
-   - id: netbird-server
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
-     ids:
-       - netbird-server
-     images:
-       - netbirdio/netbird-server
-       - ghcr.io/netbirdio/netbird-server
-     tags:
-       - "{{ .Version }}"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
-     dockerfile: combined/Dockerfile
-     platforms:
-       - linux/amd64
-       - linux/arm64
-       - linux/arm
-     annotations:
-       "org.opencontainers.image.created": "{{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
-       "maintainer": "dev@netbird.io"
-   - id: netbird-proxy
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
-     ids:
-       - netbird-proxy
-     images:
-       - netbirdio/reverse-proxy
-       - ghcr.io/netbirdio/reverse-proxy
-     tags:
-       - "{{ .Version }}"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
-     dockerfile: proxy/Dockerfile
-     platforms:
-       - linux/amd64
-       - linux/arm64
-       - linux/arm
-     annotations:
-       "org.opencontainers.image.created": "{{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
-       "maintainer": "dev@netbird.io"
+dockers:
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-amd64
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
+    ids:
+      - netbird
+    goarch: amd64
+    use: buildx
+    dockerfile: client/Dockerfile
+    extra_files:
+      - client/netbird-entrypoint.sh
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
+    ids:
+      - netbird
+    goarch: arm64
+    use: buildx
+    dockerfile: client/Dockerfile
+    extra_files:
+      - client/netbird-entrypoint.sh
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-arm
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
+    ids:
+      - netbird
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: client/Dockerfile
+    extra_files:
+      - client/netbird-entrypoint.sh
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-rootless-amd64
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
+    ids:
+      - netbird
+    goarch: amd64
+    use: buildx
+    dockerfile: client/Dockerfile-rootless
+    extra_files:
+      - client/netbird-entrypoint.sh
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
+    ids:
+      - netbird
+    goarch: arm64
+    use: buildx
+    dockerfile: client/Dockerfile-rootless
+    extra_files:
+      - client/netbird-entrypoint.sh
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-rootless-arm
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
+    ids:
+      - netbird
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: client/Dockerfile-rootless
+    extra_files:
+      - client/netbird-entrypoint.sh
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+
+  - image_templates:
+      - netbirdio/relay:{{ .Version }}-amd64
+      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
+    ids:
+      - netbird-relay
+    goarch: amd64
+    use: buildx
+    dockerfile: relay/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/relay:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
+    ids:
+      - netbird-relay
+    goarch: arm64
+    use: buildx
+    dockerfile: relay/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/relay:{{ .Version }}-arm
+      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
+    ids:
+      - netbird-relay
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: relay/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/signal:{{ .Version }}-amd64
+      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
+    ids:
+      - netbird-signal
+    goarch: amd64
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/signal:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
+    ids:
+      - netbird-signal
+    goarch: arm64
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/signal:{{ .Version }}-arm
+      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
+    ids:
+      - netbird-signal
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-amd64
+      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
+    ids:
+      - netbird-mgmt
+    goarch: amd64
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
+    ids:
+      - netbird-mgmt
+    goarch: arm64
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-arm
+      - ghcr.io/netbirdio/management:{{ .Version }}-arm
+    ids:
+      - netbird-mgmt
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-debug-amd64
+      - ghcr.io/netbirdio/management:{{ .Version }}-debug-amd64
+    ids:
+      - netbird-mgmt
+    goarch: amd64
+    use: buildx
+    dockerfile: management/Dockerfile.debug
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-debug-arm64v8
+      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm64v8
+    ids:
+      - netbird-mgmt
+    goarch: arm64
+    use: buildx
+    dockerfile: management/Dockerfile.debug
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-debug-arm
+      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm
+    ids:
+      - netbird-mgmt
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: management/Dockerfile.debug
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/upload:{{ .Version }}-amd64
+      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
+    ids:
+      - netbird-upload
+    goarch: amd64
+    use: buildx
+    dockerfile: upload-server/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/upload:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
+    ids:
+      - netbird-upload
+    goarch: arm64
+    use: buildx
+    dockerfile: upload-server/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/upload:{{ .Version }}-arm
+      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
+    ids:
+      - netbird-upload
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: upload-server/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird-server:{{ .Version }}-amd64
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
+    ids:
+      - netbird-server
+    goarch: amd64
+    use: buildx
+    dockerfile: combined/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird-server:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
+    ids:
+      - netbird-server
+    goarch: arm64
+    use: buildx
+    dockerfile: combined/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird-server:{{ .Version }}-arm
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
+    ids:
+      - netbird-server
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: combined/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/reverse-proxy:{{ .Version }}-amd64
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
+    ids:
+      - netbird-proxy
+    goarch: amd64
+    use: buildx
+    dockerfile: proxy/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+    ids:
+      - netbird-proxy
+    goarch: arm64
+    use: buildx
+    dockerfile: proxy/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/reverse-proxy:{{ .Version }}-arm
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
+    ids:
+      - netbird-proxy
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: proxy/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=maintainer=dev@netbird.io"
+docker_manifests:
+  - name_template: netbirdio/netbird:{{ .Version }}
+    image_templates:
+      - netbirdio/netbird:{{ .Version }}-arm64v8
+      - netbirdio/netbird:{{ .Version }}-arm
+      - netbirdio/netbird:{{ .Version }}-amd64
+
+  - name_template: netbirdio/netbird:latest
+    image_templates:
+      - netbirdio/netbird:{{ .Version }}-arm64v8
+      - netbirdio/netbird:{{ .Version }}-arm
+      - netbirdio/netbird:{{ .Version }}-amd64
+
+  - name_template: netbirdio/netbird:{{ .Version }}-rootless
+    image_templates:
+      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
+      - netbirdio/netbird:{{ .Version }}-rootless-arm
+      - netbirdio/netbird:{{ .Version }}-rootless-amd64
+
+  - name_template: netbirdio/netbird:rootless-latest
+    image_templates:
+      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
+      - netbirdio/netbird:{{ .Version }}-rootless-arm
+      - netbirdio/netbird:{{ .Version }}-rootless-amd64
+
+  - name_template: netbirdio/relay:{{ .Version }}
+    image_templates:
+      - netbirdio/relay:{{ .Version }}-arm64v8
+      - netbirdio/relay:{{ .Version }}-arm
+      - netbirdio/relay:{{ .Version }}-amd64
+
+  - name_template: netbirdio/relay:latest
+    image_templates:
+      - netbirdio/relay:{{ .Version }}-arm64v8
+      - netbirdio/relay:{{ .Version }}-arm
+      - netbirdio/relay:{{ .Version }}-amd64
+
+  - name_template: netbirdio/signal:{{ .Version }}
+    image_templates:
+      - netbirdio/signal:{{ .Version }}-arm64v8
+      - netbirdio/signal:{{ .Version }}-arm
+      - netbirdio/signal:{{ .Version }}-amd64
+
+  - name_template: netbirdio/signal:latest
+    image_templates:
+      - netbirdio/signal:{{ .Version }}-arm64v8
+      - netbirdio/signal:{{ .Version }}-arm
+      - netbirdio/signal:{{ .Version }}-amd64
+
+  - name_template: netbirdio/management:{{ .Version }}
+    image_templates:
+      - netbirdio/management:{{ .Version }}-arm64v8
+      - netbirdio/management:{{ .Version }}-arm
+      - netbirdio/management:{{ .Version }}-amd64
+
+  - name_template: netbirdio/management:latest
+    image_templates:
+      - netbirdio/management:{{ .Version }}-arm64v8
+      - netbirdio/management:{{ .Version }}-arm
+      - netbirdio/management:{{ .Version }}-amd64
+
+  - name_template: netbirdio/management:debug-latest
+    image_templates:
+      - netbirdio/management:{{ .Version }}-debug-arm64v8
+      - netbirdio/management:{{ .Version }}-debug-arm
+      - netbirdio/management:{{ .Version }}-debug-amd64
+  - name_template: netbirdio/upload:{{ .Version }}
+    image_templates:
+      - netbirdio/upload:{{ .Version }}-arm64v8
+      - netbirdio/upload:{{ .Version }}-arm
+      - netbirdio/upload:{{ .Version }}-amd64
+
+  - name_template: netbirdio/upload:latest
+    image_templates:
+      - netbirdio/upload:{{ .Version }}-arm64v8
+      - netbirdio/upload:{{ .Version }}-arm
+      - netbirdio/upload:{{ .Version }}-amd64
+
+  - name_template: netbirdio/netbird-server:{{ .Version }}
+    image_templates:
+      - netbirdio/netbird-server:{{ .Version }}-arm64v8
+      - netbirdio/netbird-server:{{ .Version }}-arm
+      - netbirdio/netbird-server:{{ .Version }}-amd64
+
+  - name_template: netbirdio/netbird-server:latest
+    image_templates:
+      - netbirdio/netbird-server:{{ .Version }}-arm64v8
+      - netbirdio/netbird-server:{{ .Version }}-arm
+      - netbirdio/netbird-server:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}
+    image_templates:
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/netbird:latest
+    image_templates:
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}-rootless
+    image_templates:
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
+
+  - name_template: ghcr.io/netbirdio/netbird:rootless-latest
+    image_templates:
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
+
+  - name_template: ghcr.io/netbirdio/relay:{{ .Version }}
+    image_templates:
+      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
+      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/relay:latest
+    image_templates:
+      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
+      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/signal:{{ .Version }}
+    image_templates:
+      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
+      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/signal:latest
+    image_templates:
+      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
+      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/management:{{ .Version }}
+    image_templates:
+      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/management:{{ .Version }}-arm
+      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/management:latest
+    image_templates:
+      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/management:{{ .Version }}-arm
+      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/management:debug-latest
+    image_templates:
+      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm64v8
+      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm
+      - ghcr.io/netbirdio/management:{{ .Version }}-debug-amd64
+
+  - name_template: ghcr.io/netbirdio/upload:{{ .Version }}
+    image_templates:
+      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
+      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/upload:latest
+    image_templates:
+      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
+      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/netbird-server:{{ .Version }}
+    image_templates:
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/netbird-server:latest
+    image_templates:
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
+      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
+
+  - name_template: netbirdio/reverse-proxy:{{ .Version }}
+    image_templates:
+      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+      - netbirdio/reverse-proxy:{{ .Version }}-arm
+      - netbirdio/reverse-proxy:{{ .Version }}-amd64
+
+  - name_template: netbirdio/reverse-proxy:latest
+    image_templates:
+      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+      - netbirdio/reverse-proxy:{{ .Version }}-arm
+      - netbirdio/reverse-proxy:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/reverse-proxy:{{ .Version }}
+    image_templates:
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
+
+  - name_template: ghcr.io/netbirdio/reverse-proxy:latest
+    image_templates:
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
+      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
 
 brews:
   - ids:
       - default
-    skip_upload: "{{ .Env.SKIP_PUBLISH }}"
     repository:
       owner: netbirdio
       name: homebrew-tap
@@ -440,7 +902,6 @@ brews:
 
 uploads:
   - name: debian
-    skip: "{{ .Env.SKIP_PUBLISH }}"
     ids:
       - netbird_deb
     mode: archive
@@ -449,7 +910,6 @@ uploads:
     method: PUT
 
   - name: yum
-    skip: "{{ .Env.SKIP_PUBLISH }}"
     ids:
       - netbird_rpm
     mode: archive
@@ -462,13 +922,9 @@ checksum:
     - glob: ./infrastructure_files/getting-started-with-zitadel.sh
     - glob: ./release_files/install.sh
     - glob: ./infrastructure_files/getting-started.sh
-    - glob: ./infrastructure_files/getting-started-enterprise.sh
-    - glob: ./infrastructure_files/migrate-to-enterprise.sh
 
 release:
   extra_files:
     - glob: ./infrastructure_files/getting-started-with-zitadel.sh
     - glob: ./release_files/install.sh
     - glob: ./infrastructure_files/getting-started.sh
-    - glob: ./infrastructure_files/getting-started-enterprise.sh
-    - glob: ./infrastructure_files/migrate-to-enterprise.sh

.goreleaser_ui.yaml

@@ -1,6 +1,5 @@
 version: 2
-env:
-  - SKIP_PUBLISH={{ if index .Env "SKIP_PUBLISH" }}{{ .Env.SKIP_PUBLISH }}{{ else }}true{{ end }}
+
 project_name: netbird-ui
 builds:
   - id: netbird-ui
@@ -102,7 +101,6 @@ nfpms:
 
 uploads:
   - name: debian
-    skip: "{{ .Env.SKIP_PUBLISH }}"
     ids:
       - netbird_ui_deb
     mode: archive
@@ -111,7 +109,6 @@ uploads:
     method: PUT
 
   - name: yum
-    skip: "{{ .Env.SKIP_PUBLISH }}"
     ids:
       - netbird_ui_rpm
     mode: archive

client/Dockerfile

@@ -4,7 +4,7 @@
 #   sudo podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   sudo podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest
 
-FROM alpine:3.24
+FROM alpine:3.23.3
 # iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache \
     bash \
@@ -21,7 +21,7 @@ ENV \
     NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
 
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
-ARG TARGETPLATFORM
-ARG NETBIRD_BINARY=$TARGETPLATFORM/netbird
+
+ARG NETBIRD_BINARY=netbird
 COPY client/netbird-entrypoint.sh /usr/local/bin/netbird-entrypoint.sh
 COPY "${NETBIRD_BINARY}"  /usr/local/bin/netbird

client/Dockerfile-rootless

@@ -4,7 +4,7 @@
 #   podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest
 
-FROM alpine:3.24
+FROM alpine:3.22.0
 
 RUN apk add --no-cache \
       bash \
@@ -27,7 +27,7 @@ ENV \
     NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
 
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
-ARG TARGETPLATFORM
-ARG NETBIRD_BINARY=$TARGETPLATFORM/netbird
+
+ARG NETBIRD_BINARY=netbird
 COPY client/netbird-entrypoint.sh /usr/local/bin/netbird-entrypoint.sh
 COPY "${NETBIRD_BINARY}"  /usr/local/bin/netbird

client/android/profile_manager.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	log "github.com/sirupsen/logrus"
 
@@ -23,7 +24,6 @@ const (
 
 // Profile represents a profile for gomobile
 type Profile struct {
-	ID       string
 	Name     string
 	IsActive bool
 }
@@ -53,10 +53,10 @@ func (p *ProfileArray) Get(i int) *Profile {
 ├── state.json                                  ← Default profile state
 ├── active_profile.json                         ← Active profile tracker (JSON with Name + Username)
 └── profiles/                                   ← Subdirectory for non-default profiles
-    ├── work.json                              			← Legacy work profile config
-    ├── work.state.json                        			← Legacy work profile state
-    ├── 4c5f5c8198c3989cffb5b5394f5a7ae0.json  			← ID profile config
-    ├── 4c5f5c8198c3989cffb5b5394f5a7ae0.state.json ← ID profile state
+    ├── work.json                              ← Work profile config
+    ├── work.state.json                        ← Work profile state
+    ├── personal.json                          ← Personal profile config
+    └── personal.state.json                    ← Personal profile state
 */
 
 // ProfileManager manages profiles for Android
@@ -99,7 +99,6 @@ func (pm *ProfileManager) ListProfiles() (*ProfileArray, error) {
 	var profiles []*Profile
 	for _, p := range internalProfiles {
 		profiles = append(profiles, &Profile{
-			ID:       p.ID.String(),
 			Name:     p.Name,
 			IsActive: p.IsActive,
 		})
@@ -109,65 +108,55 @@ func (pm *ProfileManager) ListProfiles() (*ProfileArray, error) {
 }
 
 // GetActiveProfile returns the currently active profile name
-func (pm *ProfileManager) GetActiveProfile() (*Profile, error) {
+func (pm *ProfileManager) GetActiveProfile() (string, error) {
 	// Use ServiceManager to stay consistent with ListProfiles
 	// ServiceManager uses active_profile.json
 	activeState, err := pm.serviceMgr.GetActiveProfileState()
 	if err != nil {
-		return nil, fmt.Errorf("failed to get active profile: %w", err)
+		return "", fmt.Errorf("failed to get active profile: %w", err)
 	}
-
-	// ActiveProfileState only stores the ID (and username), not the display
-	// name. Resolve the ID to the full profile so callers get the real Name.
-	prof, err := pm.serviceMgr.ResolveProfile(activeState.ID.String(), androidUsername)
-	if err != nil {
-		return nil, fmt.Errorf("failed to resolve active profile %q: %w", activeState.ID, err)
-	}
-	return &Profile{ID: prof.ID.String(), Name: prof.Name, IsActive: true}, nil
+	return activeState.Name, nil
 }
 
 // SwitchProfile switches to a different profile
-func (pm *ProfileManager) SwitchProfile(id string) error {
+func (pm *ProfileManager) SwitchProfile(profileName string) error {
 	// Use ServiceManager to stay consistent with ListProfiles
 	// ServiceManager uses active_profile.json
 	err := pm.serviceMgr.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		ID:       profilemanager.ID(id),
+		Name:     profileName,
 		Username: androidUsername,
 	})
 	if err != nil {
 		return fmt.Errorf("failed to switch profile: %w", err)
 	}
 
-	log.Infof("switched to profile: %s", id)
+	log.Infof("switched to profile: %s", profileName)
 	return nil
 }
 
 // AddProfile creates a new profile
 func (pm *ProfileManager) AddProfile(profileName string) error {
 	// Use ServiceManager (creates profile in profiles/ directory)
-	profile, err := pm.serviceMgr.AddProfile(profileName, androidUsername)
-	if err != nil {
+	if err := pm.serviceMgr.AddProfile(profileName, androidUsername); err != nil {
 		return fmt.Errorf("failed to add profile: %w", err)
 	}
 
-	log.Infof("created new profile: %s", profile.ID)
+	log.Infof("created new profile: %s", profileName)
 	return nil
 }
 
 // LogoutProfile logs out from a profile (clears authentication)
-func (pm *ProfileManager) LogoutProfile(id string) error {
-	configPath, err := pm.getProfileConfigPath(id)
+func (pm *ProfileManager) LogoutProfile(profileName string) error {
+	profileName = sanitizeProfileName(profileName)
+
+	configPath, err := pm.getProfileConfigPath(profileName)
 	if err != nil {
 		return err
 	}
 
-	if !profilemanager.IsValidProfileFilenameStem(profilemanager.ID(id)) {
-		return fmt.Errorf("id '%s' is not valid", id)
-	}
-
 	// Check if profile exists
 	if _, err := os.Stat(configPath); os.IsNotExist(err) {
-		return fmt.Errorf("profile '%s' does not exist", id)
+		return fmt.Errorf("profile '%s' does not exist", profileName)
 	}
 
 	// Read current config using internal profilemanager
@@ -185,57 +174,53 @@ func (pm *ProfileManager) LogoutProfile(id string) error {
 		return fmt.Errorf("failed to save config: %w", err)
 	}
 
-	log.Infof("logged out from profile: %s", id)
+	log.Infof("logged out from profile: %s", profileName)
 	return nil
 }
 
 // RemoveProfile deletes a profile
-func (pm *ProfileManager) RemoveProfile(id string) error {
+func (pm *ProfileManager) RemoveProfile(profileName string) error {
 	// Use ServiceManager (removes profile from profiles/ directory)
-	if err := pm.serviceMgr.RemoveProfile(profilemanager.ID(id), androidUsername); err != nil {
+	if err := pm.serviceMgr.RemoveProfile(profileName, androidUsername); err != nil {
 		return fmt.Errorf("failed to remove profile: %w", err)
 	}
 
-	log.Infof("removed profile: %s", id)
+	log.Infof("removed profile: %s", profileName)
 	return nil
 }
 
 // getProfileConfigPath returns the config file path for a profile
 // This is needed for Android-specific path handling (netbird.cfg for default profile)
-func (pm *ProfileManager) getProfileConfigPath(id string) (string, error) {
-	if !profilemanager.IsValidProfileFilenameStem(profilemanager.ID(id)) {
-		return "", fmt.Errorf("id %q is not valid", id)
-	}
-
-	if id == profilemanager.DefaultProfileName {
+func (pm *ProfileManager) getProfileConfigPath(profileName string) (string, error) {
+	if profileName == "" || profileName == profilemanager.DefaultProfileName {
 		// Android uses netbird.cfg for default profile instead of default.json
 		// Default profile is stored in root configDir, not in profiles/
 		return filepath.Join(pm.configDir, defaultConfigFilename), nil
 	}
 
+	// Non-default profiles are stored in profiles subdirectory
+	// This matches the Java Preferences.java expectation
+	profileName = sanitizeProfileName(profileName)
 	profilesDir := filepath.Join(pm.configDir, profilesSubdir)
-	return filepath.Join(profilesDir, id+".json"), nil
+	return filepath.Join(profilesDir, profileName+".json"), nil
 }
 
-// GetConfigPath returns the config file path for a given profile id
+// GetConfigPath returns the config file path for a given profile
 // Java should call this instead of constructing paths with Preferences.configFile()
-func (pm *ProfileManager) GetConfigPath(id string) (string, error) {
-	return pm.getProfileConfigPath(id)
+func (pm *ProfileManager) GetConfigPath(profileName string) (string, error) {
+	return pm.getProfileConfigPath(profileName)
 }
 
 // GetStateFilePath returns the state file path for a given profile
 // Java should call this instead of constructing paths with Preferences.stateFile()
-func (pm *ProfileManager) GetStateFilePath(id string) (string, error) {
-	if id == "" || id == profilemanager.DefaultProfileName {
+func (pm *ProfileManager) GetStateFilePath(profileName string) (string, error) {
+	if profileName == "" || profileName == profilemanager.DefaultProfileName {
 		return filepath.Join(pm.configDir, "state.json"), nil
 	}
 
-	if !profilemanager.IsValidProfileFilenameStem(profilemanager.ID(id)) {
-		return "", fmt.Errorf("id %q is not valid", id)
-	}
-
+	profileName = sanitizeProfileName(profileName)
 	profilesDir := filepath.Join(pm.configDir, profilesSubdir)
-	return filepath.Join(profilesDir, id+".state.json"), nil
+	return filepath.Join(profilesDir, profileName+".state.json"), nil
 }
 
 // GetActiveConfigPath returns the config file path for the currently active profile
@@ -245,7 +230,7 @@ func (pm *ProfileManager) GetActiveConfigPath() (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("failed to get active profile: %w", err)
 	}
-	return pm.GetConfigPath(activeProfile.ID)
+	return pm.GetConfigPath(activeProfile)
 }
 
 // GetActiveStateFilePath returns the state file path for the currently active profile
@@ -255,5 +240,18 @@ func (pm *ProfileManager) GetActiveStateFilePath() (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("failed to get active profile: %w", err)
 	}
-	return pm.GetStateFilePath(activeProfile.ID)
+	return pm.GetStateFilePath(activeProfile)
+}
+
+// sanitizeProfileName removes invalid characters from profile name
+func sanitizeProfileName(name string) string {
+	// Keep only alphanumeric, underscore, and hyphen
+	var result strings.Builder
+	for _, r := range name {
+		if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') ||
+			(r >= '0' && r <= '9') || r == '_' || r == '-' {
+			result.WriteRune(r)
+		}
+	}
+	return result.String()
 }

client/cmd/login.go

@@ -96,19 +96,17 @@ func doDaemonLogin(ctx context.Context, cmd *cobra.Command, providedSetupKey str
 		dnsLabelsReq = dnsLabelsValidated.ToSafeStringList()
 	}
 
-	handle := activeProf.ID.String()
-
 	loginRequest := proto.LoginRequest{
 		SetupKey:            providedSetupKey,
 		ManagementUrl:       managementURL,
 		IsUnixDesktopClient: isUnixRunningDesktop(),
 		Hostname:            hostName,
 		DnsLabels:           dnsLabelsReq,
-		ProfileName:         &handle,
+		ProfileName:         &activeProf.Name,
 		Username:            &username,
 	}
 
-	profileState, err := pm.GetProfileState(activeProf.ID)
+	profileState, err := pm.GetProfileState(activeProf.Name)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
@@ -172,13 +170,14 @@ func getActiveProfile(ctx context.Context, pm *profilemanager.ProfileManager, pr
 	return activeProf, nil
 }
 
-func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManager, handle string, username string) error {
-	resolvedID, err := switchProfile(ctx, handle, username)
+func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManager, profileName string, username string) error {
+	err := switchProfile(context.Background(), profileName, username)
 	if err != nil {
 		return fmt.Errorf("switch profile on daemon: %v", err)
 	}
 
-	if err := pm.SwitchProfile(resolvedID); err != nil {
+	err = pm.SwitchProfile(profileName)
+	if err != nil {
 		return fmt.Errorf("switch profile: %v", err)
 	}
 
@@ -206,15 +205,11 @@ func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManage
 	return nil
 }
 
-// switchProfile asks the daemon to switch to the profile identified by
-// handle (a name, ID, or unique ID prefix). Returns the resolved profile
-// ID so the caller can update the local active-profile state without
-// re-resolving the handle.
-func switchProfile(ctx context.Context, handle string, username string) (profilemanager.ID, error) {
+func switchProfile(ctx context.Context, profileName string, username string) error {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		//nolint
-		return "", fmt.Errorf("failed to connect to daemon error: %v\n"+
+		return fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
 	}
@@ -222,15 +217,15 @@ func switchProfile(ctx context.Context, handle string, username string) (profile
 
 	client := proto.NewDaemonServiceClient(conn)
 
-	resp, err := client.SwitchProfile(ctx, &proto.SwitchProfileRequest{
-		ProfileName: &handle,
+	_, err = client.SwitchProfile(ctx, &proto.SwitchProfileRequest{
+		ProfileName: &profileName,
 		Username:    &username,
 	})
 	if err != nil {
-		return "", fmt.Errorf("switch profile failed: %w", err)
+		return fmt.Errorf("switch profile failed: %v", err)
 	}
 
-	return profilemanager.ID(resp.Id), nil
+	return nil
 }
 
 func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string, activeProf *profilemanager.Profile) error {
@@ -254,7 +249,7 @@ func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string,
 		return fmt.Errorf("read config file %s: %v", configFilePath, err)
 	}
 
-	err = foregroundLogin(ctx, cmd, config, setupKey, activeProf.ID)
+	err = foregroundLogin(ctx, cmd, config, setupKey, activeProf.Name)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -282,7 +277,7 @@ func handleSSOLogin(ctx context.Context, cmd *cobra.Command, loginResp *proto.Lo
 	return nil
 }
 
-func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey string, profileID profilemanager.ID) error {
+func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey, profileName string) error {
 	authClient, err := auth.NewAuth(ctx, config.PrivateKey, config.ManagementURL, config)
 	if err != nil {
 		return fmt.Errorf("failed to create auth client: %v", err)
@@ -296,7 +291,7 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 
 	jwtToken := ""
 	if setupKey == "" && needsLogin {
-		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config, profileID)
+		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config, profileName)
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
@@ -311,10 +306,10 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 	return nil
 }
 
-func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, profileID profilemanager.ID) (*auth.TokenInfo, error) {
+func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, profileName string) (*auth.TokenInfo, error) {
 	hint := ""
 	pm := profilemanager.NewProfileManager()
-	profileState, err := pm.GetProfileState(profileID)
+	profileState, err := pm.GetProfileState(profileName)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {

client/cmd/login_test.go

@@ -27,7 +27,7 @@ func TestLogin(t *testing.T) {
 	profilemanager.ActiveProfileStatePath = tempDir + "/active_profile.json"
 	sm := profilemanager.ServiceManager{}
 	err = sm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		ID:       "default",
+		Name:     "default",
 		Username: currUser.Username,
 	})
 	if err != nil {

client/cmd/profile.go

@@ -2,16 +2,11 @@ package cmd
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"os/user"
-	"strings"
-	"text/tabwriter"
 	"time"
 
 	"github.com/spf13/cobra"
-	"google.golang.org/grpc/codes"
-	gstatus "google.golang.org/grpc/status"
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
@@ -19,8 +14,6 @@ import (
 	"github.com/netbirdio/netbird/util"
 )
 
-var profileListShowID bool
-
 var profileCmd = &cobra.Command{
 	Use:   "profile",
 	Short: "Manage NetBird client profiles",
@@ -38,40 +31,27 @@ var profileListCmd = &cobra.Command{
 var profileAddCmd = &cobra.Command{
 	Use:   "add <profile_name>",
 	Short: "Add a new profile",
-	Long:  `Add a new profile. Profile name is free-form, a unique ID is generated for the on-disk config file.`,
+	Long:  `Add a new profile to the NetBird client. The profile name must be unique.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  addProfileFunc,
 }
 
-var profileRenameCmd = &cobra.Command{
-	Use:   "rename <profile> <new_profile_name>",
-	Short: "Renames an existing profile",
-	Long:  `Renames an existing profile (by a name, ID, or unique ID prefix). Profile name is free-form.`,
-	Args:  cobra.ExactArgs(2),
-	RunE:  renameProfileFunc,
-}
-
 var profileRemoveCmd = &cobra.Command{
-	Use:     "remove <profile>",
-	Short:   "Remove a profile",
-	Long:    `Remove a profile by name, ID, or unique ID prefix.`,
-	Aliases: []string{"rm"},
-	Args:    cobra.ExactArgs(1),
-	RunE:    removeProfileFunc,
+	Use:   "remove <profile_name>",
+	Short: "Remove a profile",
+	Long:  `Remove a profile from the NetBird client. The profile must not be inactive.`,
+	Args:  cobra.ExactArgs(1),
+	RunE:  removeProfileFunc,
 }
 
 var profileSelectCmd = &cobra.Command{
-	Use:   "select <profile>",
+	Use:   "select <profile_name>",
 	Short: "Select a profile",
-	Long:  `Make the specified profile active. Accepts a name, ID, or unique ID prefix.`,
+	Long:  `Make the specified profile active. This will switch the client to use the selected profile's configuration.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  selectProfileFunc,
 }
 
-func init() {
-	profileListCmd.Flags().BoolVar(&profileListShowID, "show-id", false, "show the profile ID column")
-}
-
 func setupCmd(cmd *cobra.Command) error {
 	SetFlagsFromEnvVars(rootCmd)
 	SetFlagsFromEnvVars(cmd)
@@ -85,7 +65,6 @@ func setupCmd(cmd *cobra.Command) error {
 
 	return nil
 }
-
 func listProfilesFunc(cmd *cobra.Command, _ []string) error {
 	if err := setupCmd(cmd); err != nil {
 		return err
@@ -104,33 +83,25 @@ func listProfilesFunc(cmd *cobra.Command, _ []string) error {
 
 	daemonClient := proto.NewDaemonServiceClient(conn)
 
-	resp, err := daemonClient.ListProfiles(cmd.Context(), &proto.ListProfilesRequest{
+	profiles, err := daemonClient.ListProfiles(cmd.Context(), &proto.ListProfilesRequest{
 		Username: currUser.Username,
 	})
 	if err != nil {
 		return err
 	}
 
-	tw := tabwriter.NewWriter(cmd.OutOrStdout(), 0, 0, 2, ' ', 0)
-	if profileListShowID {
-		fmt.Fprintln(tw, "ID\tNAME\tACTIVE")
-	} else {
-		fmt.Fprintln(tw, "NAME\tACTIVE")
-	}
-	for _, profile := range resp.Profiles {
-		marker := ""
+	// list profiles, add a tick if the profile is active
+	cmd.Println("Found", len(profiles.Profiles), "profiles:")
+	for _, profile := range profiles.Profiles {
+		// use a cross to indicate the passive profiles
+		activeMarker := "✗"
 		if profile.IsActive {
-			marker = "✓"
-		}
-		name := profilemanager.StripCtrlChars(profile.Name)
-		id := profilemanager.ID(profile.Id)
-		if profileListShowID {
-			fmt.Fprintf(tw, "%s\t%s\t%s\n", id.ShortID(), name, marker)
-		} else {
-			fmt.Fprintf(tw, "%s\t%s\n", name, marker)
+			activeMarker = "✓"
 		}
+		cmd.Println(activeMarker, profile.Name)
 	}
-	return tw.Flush()
+
+	return nil
 }
 
 func addProfileFunc(cmd *cobra.Command, args []string) error {
@@ -138,90 +109,33 @@ func addProfileFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	currUser, err := user.Current()
-	if err != nil {
-		return fmt.Errorf("get current user: %w", err)
-	}
-
 	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
 	if err != nil {
 		return fmt.Errorf("connect to service CLI interface: %w", err)
 	}
 	defer conn.Close()
 
+	currUser, err := user.Current()
+	if err != nil {
+		return fmt.Errorf("get current user: %w", err)
+	}
+
 	daemonClient := proto.NewDaemonServiceClient(conn)
+
 	profileName := args[0]
 
-	id, err := addProfileOnDaemon(cmd.Context(), daemonClient, profileName, currUser.Username)
-	if err != nil {
-		return err
-	}
-
-	dupCount, _ := countProfilesWithName(cmd.Context(), daemonClient, currUser.Username, profileName)
-	if dupCount > 1 {
-		cmd.Printf("Warning: %d other profile(s) already use the name %q.\n", dupCount-1, profileName)
-		cmd.Println("Use `netbird profile list --show-id` to disambiguate later.")
-	}
-
-	cmd.Printf("Profile added: %s  %s\n", id.ShortID(), profilemanager.StripCtrlChars(profileName))
-	return nil
-
-}
-
-func renameProfileFunc(cmd *cobra.Command, args []string) error {
-	if err := setupCmd(cmd); err != nil {
-		return err
-	}
-
-	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
-	if err != nil {
-		return fmt.Errorf("connect to service CLI interface: %w", err)
-	}
-	defer conn.Close()
-
-	currUser, err := user.Current()
-	if err != nil {
-		return fmt.Errorf("get current user: %w", err)
-	}
-
-	daemonClient := proto.NewDaemonServiceClient(conn)
-	handle := args[0]
-	newProfilename := args[1]
-
-	resp, err := daemonClient.RenameProfile(cmd.Context(), &proto.RenameProfileRequest{
-		Handle:         handle,
-		Username:       currUser.Username,
-		NewProfileName: newProfilename,
+	_, err = daemonClient.AddProfile(cmd.Context(), &proto.AddProfileRequest{
+		ProfileName: profileName,
+		Username:    currUser.Username,
 	})
 	if err != nil {
-		return wrapAmbiguityError(err, handle)
+		return err
 	}
 
-	dupCount, _ := countProfilesWithName(cmd.Context(), daemonClient, currUser.Username, newProfilename)
-	if dupCount > 1 {
-		cmd.Printf("Warning: %d other profile(s) already use the name %q.\n", dupCount-1, newProfilename)
-		cmd.Println("Use `netbird profile list --show-id` to disambiguate later.")
-	}
-
-	cmd.Printf("Profile renamed from %s to %s\n", profilemanager.StripCtrlChars(resp.OldProfileName), profilemanager.StripCtrlChars(newProfilename))
-
+	cmd.Println("Profile added successfully:", profileName)
 	return nil
 }
 
-func countProfilesWithName(ctx context.Context, c proto.DaemonServiceClient, username, name string) (int, error) {
-	resp, err := c.ListProfiles(ctx, &proto.ListProfilesRequest{Username: username})
-	if err != nil {
-		return 0, err
-	}
-	n := 0
-	for _, p := range resp.Profiles {
-		if p.Name == name {
-			n++
-		}
-	}
-	return n, nil
-}
-
 func removeProfileFunc(cmd *cobra.Command, args []string) error {
 	if err := setupCmd(cmd); err != nil {
 		return err
@@ -239,17 +153,18 @@ func removeProfileFunc(cmd *cobra.Command, args []string) error {
 	}
 
 	daemonClient := proto.NewDaemonServiceClient(conn)
-	handle := args[0]
 
-	resp, err := daemonClient.RemoveProfile(cmd.Context(), &proto.RemoveProfileRequest{
-		ProfileName: handle,
+	profileName := args[0]
+
+	_, err = daemonClient.RemoveProfile(cmd.Context(), &proto.RemoveProfileRequest{
+		ProfileName: profileName,
 		Username:    currUser.Username,
 	})
 	if err != nil {
-		return wrapAmbiguityError(err, handle)
+		return err
 	}
 
-	cmd.Printf("Profile removed: %s\n", resp.Id)
+	cmd.Println("Profile removed successfully:", profileName)
 	return nil
 }
 
@@ -259,7 +174,7 @@ func selectProfileFunc(cmd *cobra.Command, args []string) error {
 	}
 
 	profileManager := profilemanager.NewProfileManager()
-	handle := args[0]
+	profileName := args[0]
 
 	currUser, err := user.Current()
 	if err != nil {
@@ -276,15 +191,32 @@ func selectProfileFunc(cmd *cobra.Command, args []string) error {
 
 	daemonClient := proto.NewDaemonServiceClient(conn)
 
-	switchResp, err := daemonClient.SwitchProfile(ctx, &proto.SwitchProfileRequest{
-		ProfileName: &handle,
-		Username:    &currUser.Username,
+	profiles, err := daemonClient.ListProfiles(ctx, &proto.ListProfilesRequest{
+		Username: currUser.Username,
 	})
 	if err != nil {
-		return wrapAmbiguityError(err, handle)
+		return fmt.Errorf("list profiles: %w", err)
 	}
 
-	if err := profileManager.SwitchProfile(profilemanager.ID(switchResp.Id)); err != nil {
+	var profileExists bool
+
+	for _, profile := range profiles.Profiles {
+		if profile.Name == profileName {
+			profileExists = true
+			break
+		}
+	}
+
+	if !profileExists {
+		return fmt.Errorf("profile %s does not exist", profileName)
+	}
+
+	if err := switchProfile(cmd.Context(), profileName, currUser.Username); err != nil {
+		return err
+	}
+
+	err = profileManager.SwitchProfile(profileName)
+	if err != nil {
 		return err
 	}
 
@@ -299,46 +231,6 @@ func selectProfileFunc(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	id := profilemanager.ID(switchResp.Id)
-	cmd.Printf("Profile switched to: %s\n", id.ShortID())
+	cmd.Println("Profile switched successfully to:", profileName)
 	return nil
 }
-
-// wrapAmbiguityError turns the daemon's gRPC InvalidArgument errors
-// (which carry the resolver's message verbatim) into CLI-friendly text
-// that points the user at --show-id.
-func wrapAmbiguityError(err error, handle string) error {
-	if err == nil {
-		return nil
-	}
-	st, ok := gstatus.FromError(err)
-	if !ok {
-		return err
-	}
-	switch st.Code() {
-	case codes.InvalidArgument:
-		msg := st.Message()
-		if strings.Contains(msg, "ambiguous") {
-			return errors.New(msg + "\nRun `netbird profile list --show-id` to see IDs, then select by ID prefix:\n  netbird profile select|remove <id-prefix>")
-		}
-	case codes.NotFound:
-		return fmt.Errorf("profile %q not found", handle)
-	}
-	return err
-}
-
-// addProfileOnDaemon issues the AddProfile RPC on an existing daemon client
-// and returns the new profile's ID. It is the single entry point for profile
-// creation, shared by `netbird profile add` and the `netbird up --profile
-// <name>` auto-create path.
-func addProfileOnDaemon(ctx context.Context, client proto.DaemonServiceClient, profileName, username string) (profilemanager.ID, error) {
-	resp, err := client.AddProfile(ctx, &proto.AddProfileRequest{
-		ProfileName: profileName,
-		Username:    username,
-	})
-	if err != nil {
-		return "", fmt.Errorf("add profile failed: %w", err)
-	}
-
-	return profilemanager.ID(resp.Id), nil
-}

client/cmd/root.go

@@ -190,7 +190,6 @@ func init() {
 	// profile commands
 	profileCmd.AddCommand(profileListCmd)
 	profileCmd.AddCommand(profileAddCmd)
-	profileCmd.AddCommand(profileRenameCmd)
 	profileCmd.AddCommand(profileRemoveCmd)
 	profileCmd.AddCommand(profileSelectCmd)
 

client/cmd/status.go

@@ -11,6 +11,7 @@ import (
 	"google.golang.org/grpc/status"
 
 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/proto"
 	nbstatus "github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/util"
@@ -110,10 +111,11 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
-	// Resolve the active profile's display name via the daemon, which runs
-	// as root and can read the per-user profile files. The local profile
-	// manager only knows the active profile ID, not its display name.
-	profName := getActiveProfileName(ctx)
+	pm := profilemanager.NewProfileManager()
+	var profName string
+	if activeProf, err := pm.GetActiveProfile(); err == nil {
+		profName = activeProf.Name
+	}
 
 	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp.GetFullStatus(), nbstatus.ConvertOptions{
 		Anonymize:            anonymizeFlag,
@@ -165,25 +167,6 @@ func getStatus(ctx context.Context, fullPeerStatus bool, shouldRunProbes bool) (
 	return resp, nil
 }
 
-// getActiveProfileName asks the daemon for the active profile's display
-// name. The daemon runs as root and can read the per-user profile files to
-// resolve the ID to its human-readable name. Returns an empty string on any
-// error so status output degrades gracefully.
-func getActiveProfileName(ctx context.Context) string {
-	conn, err := DialClientGRPCServer(ctx, daemonAddr)
-	if err != nil {
-		return ""
-	}
-	defer conn.Close()
-
-	resp, err := proto.NewDaemonServiceClient(conn).GetActiveProfile(ctx, &proto.GetActiveProfileRequest{})
-	if err != nil {
-		return ""
-	}
-
-	return resp.GetProfileName()
-}
-
 func parseFilters() error {
 	switch strings.ToLower(statusFilter) {
 	case "", "idle", "connecting", "connected":

client/cmd/up.go

@@ -128,9 +128,16 @@ func upFunc(cmd *cobra.Command, args []string) error {
 	var profileSwitched bool
 	// switch profile if provided
 	if profileName != "" {
-		if err := switchOrCreateProfile(cmd.Context(), pm, profileName, username.Username); err != nil {
+		err = switchProfile(cmd.Context(), profileName, username.Username)
+		if err != nil {
 			return fmt.Errorf("switch profile: %v", err)
 		}
+
+		err = pm.SwitchProfile(profileName)
+		if err != nil {
+			return fmt.Errorf("switch profile: %v", err)
+		}
+
 		profileSwitched = true
 	}
 
@@ -145,52 +152,6 @@ func upFunc(cmd *cobra.Command, args []string) error {
 	return runInDaemonMode(ctx, cmd, pm, activeProf, profileSwitched)
 }
 
-// switchOrCreateProfile switches the active profile to the one identified by
-// handle, creating it first when it does not exist yet. This restores the
-// pre-0.73 behaviour where `netbird up --profile <name>` auto-creates a
-// missing profile instead of failing.
-func switchOrCreateProfile(ctx context.Context, pm *profilemanager.ProfileManager, handle, username string) error {
-	resolvedID, err := switchProfile(ctx, handle, username)
-	if err != nil {
-		st, ok := gstatus.FromError(err)
-		if !ok || st.Code() != codes.NotFound {
-			return err
-		}
-		// Don't fail immediately on a create error: a concurrent run may
-		// have created the profile between the NotFound above and this
-		// call, in which case the retried switch still succeeds. Only
-		// surface the create error if the switch also fails.
-		_, createErr := createProfile(ctx, handle, username)
-		if resolvedID, err = switchProfile(ctx, handle, username); err != nil {
-			if createErr != nil {
-				return fmt.Errorf("create profile: %w", createErr)
-			}
-			return err
-		}
-	}
-
-	if err := pm.SwitchProfile(resolvedID); err != nil {
-		return err
-	}
-	return nil
-}
-
-// createProfile dials the daemon and creates a new profile with the given
-// display name, returning its generated ID. Use addProfileOnDaemon directly
-// when a daemon client is already available to reuse the connection.
-func createProfile(ctx context.Context, profileName, username string) (profilemanager.ID, error) {
-	conn, err := DialClientGRPCServer(ctx, daemonAddr)
-	if err != nil {
-		//nolint
-		return "", fmt.Errorf("failed to connect to daemon error: %v\n"+
-			"If the daemon is not running please run: "+
-			"\nnetbird service install \nnetbird service start\n", err)
-	}
-	defer conn.Close()
-
-	return addProfileOnDaemon(ctx, proto.NewDaemonServiceClient(conn), profileName, username)
-}
-
 func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *profilemanager.Profile) error {
 	// override the default profile filepath if provided
 	if configPath != "" {
@@ -229,7 +190,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *pr
 
 	_, _ = profilemanager.UpdateOldManagementURL(ctx, config, configFilePath)
 
-	err = foregroundLogin(ctx, cmd, config, providedSetupKey, activeProf.ID)
+	err = foregroundLogin(ctx, cmd, config, providedSetupKey, activeProf.Name)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -300,10 +261,10 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager
 	}
 
 	// set the new config
-	req := setupSetConfigReq(customDNSAddressConverted, cmd, activeProf.ID.String(), username.Username)
+	req := setupSetConfigReq(customDNSAddressConverted, cmd, activeProf.Name, username.Username)
 	if _, err := client.SetConfig(ctx, req); err != nil {
 		if st, ok := gstatus.FromError(err); ok && st.Code() == codes.Unavailable {
-			log.Warnf("setConfig method is not available in the daemon: %s", st.Message())
+			log.Warnf("setConfig method is not available in the daemon")
 		} else {
 			return fmt.Errorf("call service setConfig method: %v", err)
 		}
@@ -328,11 +289,10 @@ func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServ
 		return fmt.Errorf("setup login request: %v", err)
 	}
 
-	profileID := activeProf.ID.String()
-	loginRequest.ProfileName = &profileID
+	loginRequest.ProfileName = &activeProf.Name
 	loginRequest.Username = &username
 
-	profileState, err := pm.GetProfileState(activeProf.ID)
+	profileState, err := pm.GetProfileState(activeProf.Name)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
@@ -369,7 +329,7 @@ func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServ
 	}
 
 	if _, err := client.Up(ctx, &proto.UpRequest{
-		ProfileName: &profileID,
+		ProfileName: &activeProf.Name,
 		Username:    &username,
 	}); err != nil {
 		return fmt.Errorf("call service up method: %v", err)

client/cmd/up_daemon_test.go

@@ -29,14 +29,14 @@ func TestUpDaemon(t *testing.T) {
 	}
 
 	sm := profilemanager.ServiceManager{}
-	created, err := sm.AddProfile("test1", currUser.Username)
+	err = sm.AddProfile("test1", currUser.Username)
 	if err != nil {
 		t.Fatalf("failed to add profile: %v", err)
 		return
 	}
 
 	err = sm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		ID:       created.ID,
+		Name:     "test1",
 		Username: currUser.Username,
 	})
 	if err != nil {

client/embed/embed.go

@@ -279,11 +279,9 @@ func (c *Client) Start(startCtx context.Context) error {
 
 	select {
 	case <-startCtx.Done():
-		// ConnectClient.Stop now cancels its own run context and waits for the
-		// run loop to tear the engine down, so this cancel() is no longer
-		// required to break the deadlock and could be removed. It is kept as a
-		// defensive belt-and-suspenders: cancelling the parent context first
-		// guarantees the run loop is unblocked even if Stop's contract regresses.
+		// Cancel the client context before stopping: Engine.Start blocks on the
+		// signal stream while holding the engine mutex and only unblocks on
+		// cancellation. Stopping first would deadlock on that mutex.
 		cancel()
 		if stopErr := client.Stop(); stopErr != nil {
 			return fmt.Errorf("stop error after context done. Stop error: %w. Context done: %w", stopErr, startCtx.Err())

client/internal/connect.go

@@ -11,7 +11,6 @@ import (
 	"runtime/debug"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"
 
 	"github.com/cenkalti/backoff/v4"
@@ -55,10 +54,6 @@ var androidRunOverride func(c *ConnectClient, runningChan chan struct{}, logPath
 
 type ConnectClient struct {
 	ctx            context.Context
-	runCancel      context.CancelFunc
-	runExited      chan struct{}
-	runOnce        sync.Once
-	runStarted     atomic.Bool
 	config         *profilemanager.Config
 	statusRecorder *peer.Status
 
@@ -75,14 +70,8 @@ func NewConnectClient(
 	config *profilemanager.Config,
 	statusRecorder *peer.Status,
 ) *ConnectClient {
-	// Derive the run context here so Stop owns the cancel that unblocks the run
-	// loop. runCancel is set once at construction, so Stop can call it without
-	// racing the run loop's startup. Callers therefore need not cancel before Stop.
-	runCtx, runCancel := context.WithCancel(ctx)
 	return &ConnectClient{
-		ctx:            runCtx,
-		runCancel:      runCancel,
-		runExited:      make(chan struct{}),
+		ctx:            ctx,
 		config:         config,
 		statusRecorder: statusRecorder,
 		engineMutex:    sync.Mutex{},
@@ -146,11 +135,6 @@ func (c *ConnectClient) RunOniOS(
 }
 
 func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan struct{}, logPath string) error {
-	// Mark the loop as started and signal exit on return so Stop can wait for
-	// the loop to finish (and skip the wait if the loop never ran).
-	c.runStarted.Store(true)
-	defer c.runOnce.Do(func() { close(c.runExited) })
-
 	defer func() {
 		if r := recover(); r != nil {
 			rec := c.statusRecorder
@@ -306,7 +290,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			log.Debug(err)
 			if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.PermissionDenied) {
 				state.Set(StatusNeedsLogin)
-				c.runCancel()
+				_ = c.Stop()
 				return backoff.Permanent(wrapErr(err)) // unrecoverable error
 			}
 			return wrapErr(err)
@@ -426,10 +410,14 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		c.engine = nil
 		c.engineMutex.Unlock()
 
-		log.Infof("ensuring wg interface is removed, Netbird engine context cancelled")
+		// todo: consider to remove this condition. Is not thread safe.
+		// We should always call Stop(), but we need to verify that it is idempotent
+		if engine.wgInterface != nil {
+			log.Infof("ensuring %s is removed, Netbird engine context cancelled", engine.wgInterface.Name())
 
-		if err := engine.Stop(); err != nil {
-			log.Errorf("Failed to stop engine: %v", err)
+			if err := engine.Stop(); err != nil {
+				log.Errorf("Failed to stop engine: %v", err)
+			}
 		}
 		c.statusRecorder.ClientTeardown()
 
@@ -445,12 +433,12 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 	}
 
 	c.statusRecorder.ClientStart()
-	err = backoff.Retry(operation, backoff.WithContext(backOff, c.ctx))
+	err = backoff.Retry(operation, backOff)
 	if err != nil {
 		log.Debugf("exiting client retry loop due to unrecoverable error: %s", err)
 		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.PermissionDenied) {
 			state.Set(StatusNeedsLogin)
-			c.runCancel()
+			_ = c.Stop()
 		}
 		return err
 	}
@@ -528,9 +516,11 @@ func (c *ConnectClient) Status() StatusType {
 }
 
 func (c *ConnectClient) Stop() error {
-	c.runCancel()
-	if c.runStarted.Load() {
-		<-c.runExited
+	engine := c.Engine()
+	if engine != nil {
+		if err := engine.Stop(); err != nil {
+			return fmt.Errorf("stop engine: %w", err)
+		}
 	}
 	return nil
 }

client/internal/debug/debug_test.go

@@ -843,7 +843,6 @@ func TestAddConfig_AllFieldsCovered(t *testing.T) {
 		"PreSharedKey":      "sensitive: WireGuard pre-shared key",
 		"SSHKey":            "sensitive: SSH private key",
 		"ClientCertKeyPair": "non-config: parsed cert pair, not serialized",
-		"Name":              "non-config: profile name is not needed for debug purposes",
 		"policy":            "non-config: in-memory MDM policy snapshot, surfaced via Config.Policy() / GetConfigResponse.MDMManagedFields",
 	}
 

client/internal/dns/resutil/resolve.go

@@ -207,35 +207,3 @@ func FormatAnswers(answers []dns.RR) string {
 	}
 	return "[" + strings.Join(parts, ", ") + "]"
 }
-
-// StripOPT removes any OPT pseudo-RRs from the message's Extra section. Per
-// RFC 6891 a responder must not include an OPT RR toward a client that did not
-// advertise EDNS0.
-func StripOPT(msg *dns.Msg) {
-	if len(msg.Extra) == 0 {
-		return
-	}
-	out := msg.Extra[:0]
-	for _, rr := range msg.Extra {
-		if _, ok := rr.(*dns.OPT); ok {
-			continue
-		}
-		out = append(out, rr)
-	}
-	msg.Extra = out
-}
-
-// ExtractEDE returns the first Extended DNS Error (RFC 8914) option carried in
-// the message, if present.
-func ExtractEDE(msg *dns.Msg) (*dns.EDNS0_EDE, bool) {
-	opt := msg.IsEdns0()
-	if opt == nil {
-		return nil, false
-	}
-	for _, o := range opt.Option {
-		if ede, ok := o.(*dns.EDNS0_EDE); ok {
-			return ede, true
-		}
-	}
-	return nil, false
-}

client/internal/dns/resutil/resolve_test.go

@@ -120,42 +120,3 @@ func TestLookupIP_DNSErrorNotIsNotFound(t *testing.T) {
 
 	assert.Equal(t, dns.RcodeServerFailure, result.Rcode, "upstream failure should map to SERVFAIL")
 }
-
-func TestStripOPT(t *testing.T) {
-	rm := &dns.Msg{
-		Extra: []dns.RR{
-			&dns.OPT{Hdr: dns.RR_Header{Name: ".", Rrtype: dns.TypeOPT}},
-			&dns.A{Hdr: dns.RR_Header{Name: "x.", Rrtype: dns.TypeA}, A: net.IPv4(1, 2, 3, 4)},
-		},
-	}
-	StripOPT(rm)
-	assert.Len(t, rm.Extra, 1, "OPT should be removed, A kept")
-	_, isOPT := rm.Extra[0].(*dns.OPT)
-	assert.False(t, isOPT, "remaining record must not be OPT")
-}
-
-func TestExtractEDE(t *testing.T) {
-	t.Run("no edns", func(t *testing.T) {
-		_, ok := ExtractEDE(&dns.Msg{})
-		assert.False(t, ok, "message without OPT has no EDE")
-	})
-
-	t.Run("edns without ede", func(t *testing.T) {
-		rm := &dns.Msg{}
-		rm.SetEdns0(4096, false)
-		_, ok := ExtractEDE(rm)
-		assert.False(t, ok, "OPT without EDE option returns false")
-	})
-
-	t.Run("with ede", func(t *testing.T) {
-		rm := &dns.Msg{}
-		opt := &dns.OPT{Hdr: dns.RR_Header{Name: ".", Rrtype: dns.TypeOPT}}
-		opt.Option = append(opt.Option, &dns.EDNS0_EDE{InfoCode: 49152, ExtraText: "upstream timeout"})
-		rm.Extra = append(rm.Extra, opt)
-
-		ede, ok := ExtractEDE(rm)
-		assert.True(t, ok, "EDE option should be found")
-		assert.Equal(t, uint16(49152), ede.InfoCode)
-		assert.Equal(t, "upstream timeout", ede.ExtraText)
-	})
-}

client/internal/dns/server.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"net/netip"
 	"net/url"
-	"os"
 	"slices"
 	"strings"
 	"sync"
@@ -39,15 +38,11 @@ const (
 	// defaultWarningDelayBase is the starting grace window before a
 	// "Nameserver group unreachable" event fires for a group that's
 	// never been healthy and only has overlay upstreams with no
-	// Connected peer. Per-server and overridable via envWarningDelay;
-	// see warningDelay.
-	defaultWarningDelayBase = 60 * time.Second
+	// Connected peer. Per-server and overridable; see warningDelayFor.
+	defaultWarningDelayBase = 30 * time.Second
 	// warningDelayBonusCap caps the route-count bonus added to the
-	// base grace window. See warningDelay.
+	// base grace window. See warningDelayFor.
 	warningDelayBonusCap = 30 * time.Second
-	// envWarningDelay overrides defaultWarningDelayBase with a Go duration
-	// string (e.g. "90s", "2m"). Invalid or non-positive values are ignored.
-	envWarningDelay = "NB_DNS_HEALTH_WARNING_DELAY"
 )
 
 // errNoUsableNameservers signals that a merged-domain group has no usable
@@ -140,7 +135,7 @@ type DefaultServer struct {
 	disableSys         bool
 	mux                sync.Mutex
 	service            service
-	dnsMuxHandlers     []handlerWrapper
+	dnsMuxMap          registeredHandlerMap
 	localResolver      *local.Resolver
 	wgInterface        WGIface
 	hostManager        hostManager
@@ -204,6 +199,8 @@ type handlerWrapper struct {
 	priority int
 }
 
+type registeredHandlerMap map[types.HandlerID]handlerWrapper
+
 // DefaultServerConfig holds configuration parameters for NewDefaultServer
 type DefaultServerConfig struct {
 	WgInterface    WGIface
@@ -292,6 +289,7 @@ func newDefaultServer(
 		service:           dnsService,
 		handlerChain:      handlerChain,
 		extraDomains:      make(map[domain.Domain]int),
+		dnsMuxMap:         make(registeredHandlerMap),
 		localResolver:     local.NewResolver(),
 		wgInterface:       wgInterface,
 		statusRecorder:    statusRecorder,
@@ -300,7 +298,7 @@ func newDefaultServer(
 		hostManager:       &noopHostConfigurator{},
 		mgmtCacheResolver: mgmtCacheResolver,
 		currentConfigHash: ^uint64(0), // Initialize to max uint64 to ensure first config is always applied
-		warningDelayBase:  warningDelayBaseFromEnv(),
+		warningDelayBase:  defaultWarningDelayBase,
 		healthRefresh:     make(chan struct{}, 1),
 	}
 	// Wire the local resolver against the peer status recorder so it can
@@ -330,7 +328,7 @@ func (s *DefaultServer) SetRouteSources(selected, active func() route.HAMap) {
 	type routeSettable interface {
 		setSelectedRoutes(func() route.HAMap)
 	}
-	for _, entry := range s.dnsMuxHandlers {
+	for _, entry := range s.dnsMuxMap {
 		if h, ok := entry.handler.(routeSettable); ok {
 			h.setSelectedRoutes(selected)
 		}
@@ -980,23 +978,19 @@ func (s *DefaultServer) usableNameServers(nameServers []nbdns.NameServer) []neti
 
 func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
 	// this will introduce a short period of time when the server is not able to handle DNS requests
-	for _, existing := range s.dnsMuxHandlers {
+	for _, existing := range s.dnsMuxMap {
 		s.deregisterHandler([]string{existing.domain}, existing.priority)
-		// The local resolver is a persistent singleton shared by every custom
-		// zone and reused across config updates. Its chain registrations are
-		// per-config and must be deregistered, but Stop() cancels its lookup
-		// context (breaking external CNAME-target resolution) and clears its
-		// records, so it must not be torn down here.
-		if existing.handler != s.localResolver {
-			existing.handler.Stop()
-		}
+		existing.handler.Stop()
 	}
 
+	muxUpdateMap := make(registeredHandlerMap)
+
 	for _, update := range muxUpdates {
 		s.registerHandler([]string{update.domain}, update.handler, update.priority)
+		muxUpdateMap[update.handler.ID()] = update
 	}
 
-	s.dnsMuxHandlers = muxUpdates
+	s.dnsMuxMap = muxUpdateMap
 }
 
 // updateNSGroupStates records the new group set and pokes the refresher.
@@ -1160,26 +1154,6 @@ func (s *DefaultServer) projectUnhealthy(p *nsGroupProj, servers []netip.AddrPor
 	return false
 }
 
-// warningDelayBaseFromEnv returns the base grace window, honoring
-// envWarningDelay when it holds a valid positive Go duration. Invalid or
-// non-positive values fall back to defaultWarningDelayBase.
-func warningDelayBaseFromEnv() time.Duration {
-	val := os.Getenv(envWarningDelay)
-	if val == "" {
-		return defaultWarningDelayBase
-	}
-	d, err := time.ParseDuration(val)
-	if err != nil {
-		log.Warnf("invalid %s value %q, using default %v: %v", envWarningDelay, val, defaultWarningDelayBase, err)
-		return defaultWarningDelayBase
-	}
-	if d <= 0 {
-		log.Warnf("%s must be positive, got %v, using default %v", envWarningDelay, d, defaultWarningDelayBase)
-		return defaultWarningDelayBase
-	}
-	return d
-}
-
 // warningDelay returns the grace window for the given selected-route
 // count. Scales gently: +1s per 100 routes, capped by
 // warningDelayBonusCap. Parallel handshakes mean handshake time grows
@@ -1230,7 +1204,7 @@ func (s *DefaultServer) groupHasImmediateUpstream(servers []netip.AddrPort, snap
 // in more than one handler.
 func (s *DefaultServer) collectUpstreamHealth() map[netip.AddrPort]UpstreamHealth {
 	merged := make(map[netip.AddrPort]UpstreamHealth)
-	for _, entry := range s.dnsMuxHandlers {
+	for _, entry := range s.dnsMuxMap {
 		reporter, ok := entry.handler.(upstreamHealthReporter)
 		if !ok {
 			continue

client/internal/dns/server_test.go

@@ -104,6 +104,19 @@ func init() {
 	formatter.SetTextFormatter(log.StandardLogger())
 }
 
+func generateDummyHandler(d string, servers []nbdns.NameServer) *upstreamResolverBase {
+	var srvs []netip.AddrPort
+	for _, srv := range servers {
+		srvs = append(srvs, srv.AddrPort())
+	}
+	u := &upstreamResolverBase{
+		domain: domain.Domain(d),
+		cancel: func() {},
+	}
+	u.addRace(srvs)
+	return u
+}
+
 func TestUpdateDNSServer(t *testing.T) {
 
 	nameServers := []nbdns.NameServer{
@@ -119,20 +132,22 @@ func TestUpdateDNSServer(t *testing.T) {
 		},
 	}
 
+	dummyHandler := local.NewResolver()
+
 	testCases := []struct {
 		name                string
-		initUpstreamMap     []handlerWrapper
+		initUpstreamMap     registeredHandlerMap
 		initLocalZones      []nbdns.CustomZone
 		initSerial          uint64
 		inputSerial         uint64
 		inputUpdate         nbdns.Config
 		shouldFail          bool
-		expectedUpstreamMap []handlerWrapper
+		expectedUpstreamMap registeredHandlerMap
 		expectedLocalQs     []dns.Question
 	}{
 		{
 			name:            "Initial Config Should Succeed",
-			initUpstreamMap: nil,
+			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -154,17 +169,20 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: []handlerWrapper{
-				{
+			expectedUpstreamMap: registeredHandlerMap{
+				generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{
 					domain:   "netbird.io",
+					handler:  dummyHandler,
 					priority: PriorityUpstream,
 				},
-				{
+				dummyHandler.ID(): handlerWrapper{
 					domain:   "netbird.cloud",
+					handler:  dummyHandler,
 					priority: PriorityLocal,
 				},
-				{
+				generateDummyHandler(".", nameServers).ID(): handlerWrapper{
 					domain:   nbdns.RootZone,
+					handler:  dummyHandler,
 					priority: PriorityDefault,
 				},
 			},
@@ -173,10 +191,10 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:           "New Config Should Succeed",
 			initLocalZones: []nbdns.CustomZone{{Domain: "netbird.cloud", Records: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: 1, Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}}}},
-			initUpstreamMap: []handlerWrapper{
-				{
+			initUpstreamMap: registeredHandlerMap{
+				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
 					domain:   "netbird.cloud",
-					handler:  &mockHandler{},
+					handler:  dummyHandler,
 					priority: PriorityUpstream,
 				},
 			},
@@ -197,13 +215,15 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: []handlerWrapper{
-				{
+			expectedUpstreamMap: registeredHandlerMap{
+				generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{
 					domain:   "netbird.io",
+					handler:  dummyHandler,
 					priority: PriorityUpstream,
 				},
-				{
+				"local-resolver": handlerWrapper{
 					domain:   "netbird.cloud",
+					handler:  dummyHandler,
 					priority: PriorityLocal,
 				},
 			},
@@ -212,7 +232,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:            "Smaller Config Serial Should Be Skipped",
 			initLocalZones:  []nbdns.CustomZone{},
-			initUpstreamMap: nil,
+			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      2,
 			inputSerial:     1,
 			shouldFail:      true,
@@ -220,7 +240,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:            "Empty NS Group Domain Or Not Primary Element Should Fail",
 			initLocalZones:  []nbdns.CustomZone{},
-			initUpstreamMap: nil,
+			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -242,7 +262,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:            "Invalid NS Group Nameservers list Should Fail",
 			initLocalZones:  []nbdns.CustomZone{},
-			initUpstreamMap: nil,
+			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -264,7 +284,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:            "Invalid Custom Zone Records list Should Skip",
 			initLocalZones:  []nbdns.CustomZone{},
-			initUpstreamMap: nil,
+			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -281,41 +301,42 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: []handlerWrapper{{
+			expectedUpstreamMap: registeredHandlerMap{generateDummyHandler(".", nameServers).ID(): handlerWrapper{
 				domain:   ".",
+				handler:  dummyHandler,
 				priority: PriorityDefault,
 			}},
 		},
 		{
 			name:           "Empty Config Should Succeed and Clean Maps",
 			initLocalZones: []nbdns.CustomZone{{Domain: "netbird.cloud", Records: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}}}},
-			initUpstreamMap: []handlerWrapper{
-				{
+			initUpstreamMap: registeredHandlerMap{
+				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
 					domain:   zoneRecords[0].Name,
-					handler:  &mockHandler{},
+					handler:  dummyHandler,
 					priority: PriorityUpstream,
 				},
 			},
 			initSerial:          0,
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: true},
-			expectedUpstreamMap: nil,
+			expectedUpstreamMap: make(registeredHandlerMap),
 			expectedLocalQs:     []dns.Question{},
 		},
 		{
 			name:           "Disabled Service Should clean map",
 			initLocalZones: []nbdns.CustomZone{{Domain: "netbird.cloud", Records: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}}}},
-			initUpstreamMap: []handlerWrapper{
-				{
+			initUpstreamMap: registeredHandlerMap{
+				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
 					domain:   zoneRecords[0].Name,
-					handler:  &mockHandler{},
+					handler:  dummyHandler,
 					priority: PriorityUpstream,
 				},
 			},
 			initSerial:          0,
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: false},
-			expectedUpstreamMap: nil,
+			expectedUpstreamMap: make(registeredHandlerMap),
 			expectedLocalQs:     []dns.Question{},
 		},
 	}
@@ -372,7 +393,7 @@ func TestUpdateDNSServer(t *testing.T) {
 				}
 			}()
 
-			dnsServer.dnsMuxHandlers = testCase.initUpstreamMap
+			dnsServer.dnsMuxMap = testCase.initUpstreamMap
 			dnsServer.localResolver.Update(testCase.initLocalZones)
 			dnsServer.updateSerial = testCase.initSerial
 
@@ -384,20 +405,14 @@ func TestUpdateDNSServer(t *testing.T) {
 				t.Fatalf("update dns server should not fail, got error: %v", err)
 			}
 
-			if len(dnsServer.dnsMuxHandlers) != len(testCase.expectedUpstreamMap) {
-				t.Fatalf("update upstream failed, map size is different than expected, want %d, got %d", len(testCase.expectedUpstreamMap), len(dnsServer.dnsMuxHandlers))
+			if len(dnsServer.dnsMuxMap) != len(testCase.expectedUpstreamMap) {
+				t.Fatalf("update upstream failed, map size is different than expected, want %d, got %d", len(testCase.expectedUpstreamMap), len(dnsServer.dnsMuxMap))
 			}
 
-			for _, expected := range testCase.expectedUpstreamMap {
-				found := false
-				for _, got := range dnsServer.dnsMuxHandlers {
-					if got.domain == expected.domain && got.priority == expected.priority {
-						found = true
-						break
-					}
-				}
+			for key := range testCase.expectedUpstreamMap {
+				_, found := dnsServer.dnsMuxMap[key]
 				if !found {
-					t.Fatalf("update upstream failed, handler for domain=%s priority=%d not found in dnsMuxHandlers: %#v", expected.domain, expected.priority, dnsServer.dnsMuxHandlers)
+					t.Fatalf("update upstream failed, key %s was not found in the dnsMuxMap: %#v", key, dnsServer.dnsMuxMap)
 				}
 			}
 
@@ -497,8 +512,8 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 		}
 	}()
 
-	dnsServer.dnsMuxHandlers = []handlerWrapper{
-		{
+	dnsServer.dnsMuxMap = registeredHandlerMap{
+		"id1": handlerWrapper{
 			domain:   zoneRecords[0].Name,
 			handler:  &local.Resolver{},
 			priority: PriorityUpstream,
@@ -1014,15 +1029,15 @@ func (m *mockService) RegisterMux(string, dns.Handler) {}
 func (m *mockService) DeregisterMux(string)            {}
 
 func TestDefaultServer_UpdateMux(t *testing.T) {
-	baseMatchHandlers := []handlerWrapper{
-		{
+	baseMatchHandlers := registeredHandlerMap{
+		"upstream-group1": {
 			domain: "example.com",
 			handler: &mockHandler{
 				Id: "upstream-group1",
 			},
 			priority: PriorityUpstream,
 		},
-		{
+		"upstream-group2": {
 			domain: "example.com",
 			handler: &mockHandler{
 				Id: "upstream-group2",
@@ -1031,15 +1046,15 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 		},
 	}
 
-	baseRootHandlers := []handlerWrapper{
-		{
+	baseRootHandlers := registeredHandlerMap{
+		"upstream-root1": {
 			domain: ".",
 			handler: &mockHandler{
 				Id: "upstream-root1",
 			},
 			priority: PriorityDefault,
 		},
-		{
+		"upstream-root2": {
 			domain: ".",
 			handler: &mockHandler{
 				Id: "upstream-root2",
@@ -1048,22 +1063,22 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 		},
 	}
 
-	baseMixedHandlers := []handlerWrapper{
-		{
+	baseMixedHandlers := registeredHandlerMap{
+		"upstream-group1": {
 			domain: "example.com",
 			handler: &mockHandler{
 				Id: "upstream-group1",
 			},
 			priority: PriorityUpstream,
 		},
-		{
+		"upstream-group2": {
 			domain: "example.com",
 			handler: &mockHandler{
 				Id: "upstream-group2",
 			},
 			priority: PriorityUpstream - 1,
 		},
-		{
+		"upstream-other": {
 			domain: "other.com",
 			handler: &mockHandler{
 				Id: "upstream-other",
@@ -1074,7 +1089,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 
 	tests := []struct {
 		name             string
-		initialHandlers  []handlerWrapper
+		initialHandlers  registeredHandlerMap
 		updates          []handlerWrapper
 		expectedHandlers map[string]string // map[HandlerID]domain
 		description      string
@@ -1358,38 +1373,32 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			server := &DefaultServer{
-				dnsMuxHandlers: tt.initialHandlers,
-				handlerChain:   NewHandlerChain(),
-				service:        &mockService{},
+				dnsMuxMap:    tt.initialHandlers,
+				handlerChain: NewHandlerChain(),
+				service:      &mockService{},
 			}
 
 			// Perform the update
 			server.updateMux(tt.updates)
 
 			// Verify the results
-			assert.Equal(t, len(tt.expectedHandlers), len(server.dnsMuxHandlers),
+			assert.Equal(t, len(tt.expectedHandlers), len(server.dnsMuxMap),
 				"Number of handlers after update doesn't match expected")
 
 			// Check each expected handler
 			for id, expectedDomain := range tt.expectedHandlers {
-				var found *handlerWrapper
-				for i := range server.dnsMuxHandlers {
-					if server.dnsMuxHandlers[i].handler.ID() == types.HandlerID(id) {
-						found = &server.dnsMuxHandlers[i]
-						break
-					}
-				}
-				assert.NotNil(t, found, "Expected handler %s not found", id)
-				if found != nil {
-					assert.Equal(t, expectedDomain, found.domain,
+				handler, exists := server.dnsMuxMap[types.HandlerID(id)]
+				assert.True(t, exists, "Expected handler %s not found", id)
+				if exists {
+					assert.Equal(t, expectedDomain, handler.domain,
 						"Domain mismatch for handler %s", id)
 				}
 			}
 
 			// Verify no unexpected handlers exist
-			for _, entry := range server.dnsMuxHandlers {
-				_, expected := tt.expectedHandlers[string(entry.handler.ID())]
-				assert.True(t, expected, "Unexpected handler found: %s", entry.handler.ID())
+			for HandlerID := range server.dnsMuxMap {
+				_, expected := tt.expectedHandlers[string(HandlerID)]
+				assert.True(t, expected, "Unexpected handler found: %s", HandlerID)
 			}
 
 			// Verify the handlerChain state and order
@@ -1404,7 +1413,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 
 				// Verify handler exists in mux
 				foundInMux := false
-				for _, muxEntry := range server.dnsMuxHandlers {
+				for _, muxEntry := range server.dnsMuxMap {
 					if chainEntry.Handler == muxEntry.handler &&
 						chainEntry.Priority == muxEntry.priority &&
 						chainEntry.Pattern == dns.Fqdn(muxEntry.domain) {
@@ -1413,108 +1422,12 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					}
 				}
 				assert.True(t, foundInMux,
-					"Handler in chain not found in dnsMuxHandlers")
+					"Handler in chain not found in dnsMuxMap")
 			}
 		})
 	}
 }
 
-// chainHasPattern reports whether the handler chain holds an entry registered
-// for the given fqdn pattern at the given priority.
-func chainHasPattern(s *DefaultServer, pattern string, priority int) bool {
-	for _, h := range s.handlerChain.handlers {
-		if h.OrigPattern == pattern && h.Priority == priority {
-			return true
-		}
-	}
-	return false
-}
-
-// TestDefaultServer_UpdateMux_SharedHandlerZoneRemoval verifies that updateMux
-// tracks each (handler, domain) registration independently when one handler
-// serves multiple zones. Every custom zone is served by the same handler
-// instance (the local resolver, whose ID is the constant "local-resolver"), so
-// removing one zone must deregister exactly that zone's chain entry and leave
-// the others in place. Tracking registrations by handler ID alone collapses all
-// zones onto one entry, leaving removed zones in the chain to answer
-// authoritatively with no records.
-func TestDefaultServer_UpdateMux_SharedHandlerZoneRemoval(t *testing.T) {
-	// One handler serves every custom zone, mirroring s.localResolver.
-	shared := &mockHandler{Id: "local-resolver"}
-
-	server := &DefaultServer{
-		handlerChain: NewHandlerChain(),
-		service:      &mockService{},
-	}
-
-	// Two custom zones under the same handler. The surviving zone is registered
-	// last, mirroring the management emission order.
-	server.updateMux([]handlerWrapper{
-		{domain: "userzone.test", handler: shared, priority: PriorityLocal},
-		{domain: "peerzone.test", handler: shared, priority: PriorityLocal},
-	})
-
-	require.True(t, chainHasPattern(server, "userzone.test.", PriorityLocal),
-		"userzone.test should be registered after the first update")
-	require.True(t, chainHasPattern(server, "peerzone.test.", PriorityLocal),
-		"peerzone.test should be registered after the first update")
-
-	// Remove one zone, keep the other.
-	server.updateMux([]handlerWrapper{
-		{domain: "peerzone.test", handler: shared, priority: PriorityLocal},
-	})
-
-	assert.True(t, chainHasPattern(server, "peerzone.test.", PriorityLocal),
-		"peerzone.test should remain after removing userzone.test")
-	assert.False(t, chainHasPattern(server, "userzone.test.", PriorityLocal),
-		"userzone.test handler must be deregistered, not leaked in the chain")
-}
-
-// TestDefaultServer_UpdateMux_PreservesLocalResolver verifies that updateMux
-// does not tear down the shared local resolver during reconfiguration. The
-// resolver is a process-lifetime singleton reused across config updates;
-// Stop() cancels its lookup context (breaking external CNAME-target
-// resolution) and clears its records. updateMux must deregister its chain
-// entries without stopping it. Records surviving a teardown update is the
-// observable proxy: Stop() would have cleared them.
-func TestDefaultServer_UpdateMux_PreservesLocalResolver(t *testing.T) {
-	resolver := local.NewResolver()
-	require.NoError(t, resolver.RegisterRecord(nbdns.SimpleRecord{
-		Name:  "peer.netbird.cloud.",
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "10.0.0.1",
-	}))
-
-	server := &DefaultServer{
-		handlerChain:  NewHandlerChain(),
-		service:       &mockService{},
-		localResolver: resolver,
-	}
-
-	server.updateMux([]handlerWrapper{
-		{domain: "netbird.cloud", handler: resolver, priority: PriorityLocal},
-	})
-
-	// Remove the zone. The resolver must survive so its records and lookup
-	// context stay intact for the next registration.
-	server.updateMux(nil)
-
-	var response *dns.Msg
-	resolver.ServeDNS(&test.MockResponseWriter{
-		WriteMsgFunc: func(m *dns.Msg) error {
-			response = m
-			return nil
-		},
-	}, &dns.Msg{Question: []dns.Question{{Name: "peer.netbird.cloud.", Qtype: dns.TypeA, Qclass: dns.ClassINET}}})
-
-	require.NotNil(t, response, "local resolver should answer after teardown")
-	assert.Equal(t, dns.RcodeSuccess, response.Rcode,
-		"local resolver records must survive teardown; updateMux must not Stop() the shared resolver")
-	assert.NotEmpty(t, response.Answer, "answer should contain the surviving record")
-}
-
 func TestExtraDomains(t *testing.T) {
 	tests := []struct {
 		name                string
@@ -2136,6 +2049,7 @@ func TestBuildUpstreamHandler_MergesGroupsPerDomain(t *testing.T) {
 		localResolver: local.NewResolver(),
 		handlerChain:  NewHandlerChain(),
 		hostManager:   &noopHostConfigurator{},
+		dnsMuxMap:     make(registeredHandlerMap),
 	}
 
 	groups := []*nbdns.NameServerGroup{
@@ -2293,7 +2207,7 @@ func TestEvaluateNSGroupHealth(t *testing.T) {
 	}
 }
 
-// healthStubHandler is a minimal dnsMuxHandlers entry that exposes a fixed
+// healthStubHandler is a minimal dnsMuxMap entry that exposes a fixed
 // UpstreamHealth snapshot, letting tests drive recomputeNSGroupStates
 // without spinning up real handlers.
 type healthStubHandler struct {
@@ -2369,11 +2283,12 @@ func newProjTestFixture(t *testing.T) *projTestFixture {
 		ctx:              context.Background(),
 		wgInterface:      &mocWGIface{},
 		statusRecorder:   recorder,
+		dnsMuxMap:        make(registeredHandlerMap),
 		selectedRoutes:   func() route.HAMap { return fx.selected },
 		activeRoutes:     func() route.HAMap { return fx.active },
 		warningDelayBase: defaultWarningDelayBase,
 	}
-	fx.server.dnsMuxHandlers = []handlerWrapper{{domain: "example.com", handler: fx.stub, priority: PriorityUpstream}}
+	fx.server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: fx.stub, priority: PriorityUpstream}
 
 	fx.server.mux.Lock()
 	fx.server.updateNSGroupStates([]*nbdns.NameServerGroup{fx.group})
@@ -2480,6 +2395,7 @@ func TestProjection_OverlayAddrNoRouteDelaysWarning(t *testing.T) {
 		ctx:              context.Background(),
 		wgInterface:      &mocWGIface{},
 		statusRecorder:   recorder,
+		dnsMuxMap:        make(registeredHandlerMap),
 		selectedRoutes:   func() route.HAMap { return nil },
 		activeRoutes:     func() route.HAMap { return nil },
 		warningDelayBase: 50 * time.Millisecond,
@@ -2491,7 +2407,7 @@ func TestProjection_OverlayAddrNoRouteDelaysWarning(t *testing.T) {
 	stub := &healthStubHandler{health: map[netip.AddrPort]UpstreamHealth{
 		overlayPeer: {LastFail: time.Now(), LastErr: "timeout"},
 	}}
-	server.dnsMuxHandlers = []handlerWrapper{{domain: "example.com", handler: stub, priority: PriorityUpstream}}
+	server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: stub, priority: PriorityUpstream}
 
 	server.mux.Lock()
 	server.updateNSGroupStates([]*nbdns.NameServerGroup{group})
@@ -2528,6 +2444,7 @@ func TestProjection_StopClearsHealthState(t *testing.T) {
 		service:           NewServiceViaMemory(wgIface),
 		hostManager:       &noopHostConfigurator{},
 		extraDomains:      map[domain.Domain]int{},
+		dnsMuxMap:         make(registeredHandlerMap),
 		statusRecorder:    peer.NewRecorder("mgm"),
 		selectedRoutes:    func() route.HAMap { return nil },
 		activeRoutes:      func() route.HAMap { return nil },
@@ -2542,7 +2459,7 @@ func TestProjection_StopClearsHealthState(t *testing.T) {
 		NameServers: []nbdns.NameServer{{IP: srv.Addr(), NSType: nbdns.UDPNameServerType, Port: int(srv.Port())}},
 	}
 	stub := &healthStubHandler{health: map[netip.AddrPort]UpstreamHealth{srv: {LastOk: time.Now()}}}
-	server.dnsMuxHandlers = []handlerWrapper{{domain: "example.com", handler: stub, priority: PriorityUpstream}}
+	server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: stub, priority: PriorityUpstream}
 
 	server.mux.Lock()
 	server.updateNSGroupStates([]*nbdns.NameServerGroup{group})
@@ -2567,32 +2484,6 @@ func TestProjection_StopClearsHealthState(t *testing.T) {
 // rule 3: startup failures while the peer is handshaking, then the peer
 // comes up and a query succeeds before the grace window elapses. No
 // warning should ever have fired, and no recovery either.
-func TestWarningDelayBaseFromEnv(t *testing.T) {
-	tests := []struct {
-		name string
-		set  bool
-		val  string
-		want time.Duration
-	}{
-		{name: "unset uses default", set: false, want: defaultWarningDelayBase},
-		{name: "valid override", set: true, val: "90s", want: 90 * time.Second},
-		{name: "valid minutes", set: true, val: "2m", want: 2 * time.Minute},
-		{name: "invalid falls back", set: true, val: "notaduration", want: defaultWarningDelayBase},
-		{name: "zero falls back", set: true, val: "0s", want: defaultWarningDelayBase},
-		{name: "negative falls back", set: true, val: "-30s", want: defaultWarningDelayBase},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Setenv(envWarningDelay, tc.val)
-			if !tc.set {
-				os.Unsetenv(envWarningDelay)
-			}
-			assert.Equal(t, tc.want, warningDelayBaseFromEnv(), "grace window base")
-		})
-	}
-}
-
 func TestProjection_OverlayRecoversDuringGrace(t *testing.T) {
 	fx := newProjTestFixture(t)
 	fx.server.warningDelayBase = 200 * time.Millisecond
@@ -2704,6 +2595,7 @@ func TestProjection_MixedGroupEmitsImmediately(t *testing.T) {
 	server := &DefaultServer{
 		ctx:              context.Background(),
 		statusRecorder:   recorder,
+		dnsMuxMap:        make(registeredHandlerMap),
 		selectedRoutes:   func() route.HAMap { return overlayMap },
 		activeRoutes:     func() route.HAMap { return nil },
 		warningDelayBase: time.Hour,
@@ -2721,7 +2613,7 @@ func TestProjection_MixedGroupEmitsImmediately(t *testing.T) {
 			overlay: {LastFail: time.Now(), LastErr: "timeout"},
 		},
 	}
-	server.dnsMuxHandlers = []handlerWrapper{{domain: "example.com", handler: stub, priority: PriorityUpstream}}
+	server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: stub, priority: PriorityUpstream}
 
 	server.mux.Lock()
 	server.updateNSGroupStates([]*nbdns.NameServerGroup{group})
@@ -2748,6 +2640,7 @@ func TestDNSLoopPrevention(t *testing.T) {
 		localResolver: local.NewResolver(),
 		handlerChain:  NewHandlerChain(),
 		hostManager:   &noopHostConfigurator{},
+		dnsMuxMap:     make(registeredHandlerMap),
 	}
 
 	tests := []struct {

client/internal/dns/upstream.go

@@ -443,32 +443,29 @@ func (u *upstreamResolverBase) queryUpstream(parentCtx context.Context, r *dns.M
 		return raceResult{}, &upstreamFailure{upstream: upstream, reason: "no response"}
 	}
 
-	// A valid response means the upstream is reachable, whatever the Rcode.
-	u.markUpstreamOk(upstream)
-
 	proto := ""
 	if upstreamProto != nil {
 		proto = upstreamProto.protocol
 	}
 
 	if rm.Rcode == dns.RcodeServerFailure || rm.Rcode == dns.RcodeRefused {
-		// SERVFAIL and REFUSED are per-question outcomes (DNSSEC-bogus names,
-		// refused zones, transient recursion errors), not reachability
-		// problems: fail over for a better answer but keep the upstream healthy.
 		if code, ok := nonRetryableEDE(rm); ok {
 			if !hadEdns {
-				resutil.StripOPT(rm)
+				stripOPT(rm)
 			}
+			u.markUpstreamOk(upstream)
 			return raceResult{msg: rm, upstream: upstream, protocol: proto, ede: edeName(code)}, nil
 		}
 		reason := dns.RcodeToString[rm.Rcode]
+		u.markUpstreamFail(upstream, reason)
 		return raceResult{}, &upstreamFailure{upstream: upstream, reason: reason}
 	}
 
 	if !hadEdns {
-		resutil.StripOPT(rm)
+		stripOPT(rm)
 	}
 
+	u.markUpstreamOk(upstream)
 	return raceResult{msg: rm, upstream: upstream, protocol: proto}, nil
 }
 
@@ -523,6 +520,22 @@ func upstreamUDPSize() uint16 {
 	return dns.MinMsgSize
 }
 
+// stripOPT removes any OPT pseudo-RRs from the response's Extra section so
+// the response complies with RFC 6891 when the client did not advertise EDNS0.
+func stripOPT(rm *dns.Msg) {
+	if len(rm.Extra) == 0 {
+		return
+	}
+	out := rm.Extra[:0]
+	for _, rr := range rm.Extra {
+		if _, ok := rr.(*dns.OPT); ok {
+			continue
+		}
+		out = append(out, rr)
+	}
+	rm.Extra = out
+}
+
 func (u *upstreamResolverBase) handleUpstreamError(err error, upstream netip.AddrPort, startTime time.Time) *upstreamFailure {
 	if !errors.Is(err, context.DeadlineExceeded) && !isTimeout(err) {
 		return &upstreamFailure{upstream: upstream, reason: err.Error()}

client/internal/dns/upstream_test.go

@@ -517,78 +517,6 @@ func TestUpstreamResolver_HealthTracking(t *testing.T) {
 	assert.NotContains(t, health, bad, "sibling upstream should not be queried when primary answers")
 }
 
-// TestUpstreamResolver_HealthTracking_ResponseMeansReachable verifies that an
-// upstream which answers with SERVFAIL or REFUSED is recorded as healthy:
-// those are per-question outcomes from a reachable server and must not mark
-// the upstream unhealthy. Only transport failures (timeouts) do.
-func TestUpstreamResolver_HealthTracking_ResponseMeansReachable(t *testing.T) {
-	a := netip.MustParseAddrPort("192.0.2.10:53")
-	b := netip.MustParseAddrPort("192.0.2.11:53")
-	timeoutErr := &net.OpError{Op: "read", Err: fmt.Errorf("i/o timeout")}
-
-	tests := []struct {
-		name        string
-		respA       mockUpstreamResponse
-		respB       mockUpstreamResponse
-		wantHealthy bool
-	}{
-		{
-			name:        "both SERVFAIL are reachable",
-			respA:       mockUpstreamResponse{msg: buildMockResponse(dns.RcodeServerFailure, "")},
-			respB:       mockUpstreamResponse{msg: buildMockResponse(dns.RcodeServerFailure, "")},
-			wantHealthy: true,
-		},
-		{
-			name:        "both REFUSED are reachable",
-			respA:       mockUpstreamResponse{msg: buildMockResponse(dns.RcodeRefused, "")},
-			respB:       mockUpstreamResponse{msg: buildMockResponse(dns.RcodeRefused, "")},
-			wantHealthy: true,
-		},
-		{
-			name:        "timeout marks unhealthy",
-			respA:       mockUpstreamResponse{err: timeoutErr},
-			respB:       mockUpstreamResponse{err: timeoutErr},
-			wantHealthy: false,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			mockClient := &mockUpstreamResolverPerServer{
-				responses: map[string]mockUpstreamResponse{
-					a.String(): tc.respA,
-					b.String(): tc.respB,
-				},
-				rtt: time.Millisecond,
-			}
-
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			resolver := &upstreamResolverBase{
-				ctx:             ctx,
-				upstreamClient:  mockClient,
-				upstreamTimeout: UpstreamTimeout,
-			}
-			resolver.addRace([]netip.AddrPort{a, b})
-
-			responseWriter := &test.MockResponseWriter{WriteMsgFunc: func(m *dns.Msg) error { return nil }}
-			resolver.ServeDNS(responseWriter, new(dns.Msg).SetQuestion("example.com.", dns.TypeA))
-
-			health := resolver.UpstreamHealth()
-			require.Contains(t, health, a, "primary upstream should have a health record")
-			if tc.wantHealthy {
-				assert.False(t, health[a].LastOk.IsZero(), "responding upstream should have LastOk set")
-				assert.True(t, health[a].LastFail.IsZero(), "responding upstream should not be marked failed")
-				assert.Empty(t, health[a].LastErr, "responding upstream should have no error")
-			} else {
-				assert.False(t, health[a].LastFail.IsZero(), "timed-out upstream should be marked failed")
-				assert.NotEmpty(t, health[a].LastErr, "timed-out upstream should record an error")
-			}
-		})
-	}
-}
-
 func TestFormatFailures(t *testing.T) {
 	testCases := []struct {
 		name     string
@@ -985,6 +913,19 @@ func TestEDEName(t *testing.T) {
 	assert.Equal(t, "EDE 9999", edeName(9999), "unknown code falls back to numeric")
 }
 
+func TestStripOPT(t *testing.T) {
+	rm := &dns.Msg{
+		Extra: []dns.RR{
+			&dns.OPT{Hdr: dns.RR_Header{Name: ".", Rrtype: dns.TypeOPT}},
+			&dns.A{Hdr: dns.RR_Header{Name: "x.", Rrtype: dns.TypeA}, A: net.IPv4(1, 2, 3, 4)},
+		},
+	}
+	stripOPT(rm)
+	assert.Len(t, rm.Extra, 1, "OPT should be removed, A kept")
+	_, isOPT := rm.Extra[0].(*dns.OPT)
+	assert.False(t, isOPT, "remaining record must not be OPT")
+}
+
 func TestUpstreamResolver_NonRetryableEDEShortCircuits(t *testing.T) {
 	upstream1 := netip.MustParseAddrPort("192.0.2.1:53")
 	upstream2 := netip.MustParseAddrPort("192.0.2.2:53")

client/internal/dnsfwd/forwarder.go

@@ -26,15 +26,6 @@ import (
 const errResolveFailed = "failed to resolve query for domain=%s: %v"
 const upstreamTimeout = 15 * time.Second
 
-// EDE info codes the forwarder emits on upstream failures so the querying
-// client can see the reason without inspecting this peer's logs. They live in
-// the RFC 8914 Private Use range (49152-65535); the Go resolver never exposes a
-// real upstream EDE here, so these cannot collide with a genuine code.
-const (
-	edeNetbirdUpstreamTimeout uint16 = 49152
-	edeNetbirdUpstreamFailure uint16 = 49153
-)
-
 type resolver interface {
 	LookupNetIP(ctx context.Context, network, host string) ([]netip.Addr, error)
 }
@@ -229,7 +220,7 @@ func (f *DNSForwarder) handleDNSQuery(logger *log.Entry, w dns.ResponseWriter, q
 
 	result := resutil.LookupIP(ctx, f.resolver, network, qname, question.Qtype)
 	if result.Err != nil {
-		f.handleDNSError(ctx, logger, w, question, resp, qname, result, query.IsEdns0() != nil, startTime)
+		f.handleDNSError(ctx, logger, w, question, resp, qname, result, startTime)
 		return
 	}
 
@@ -342,7 +333,6 @@ func (f *DNSForwarder) handleDNSError(
 	resp *dns.Msg,
 	domain string,
 	result resutil.LookupResult,
-	reqHasEdns bool,
 	startTime time.Time,
 ) {
 	qType := question.Qtype
@@ -384,10 +374,6 @@ func (f *DNSForwarder) handleDNSError(
 		logger.Warnf(errResolveFailed, domain, result.Err)
 	}
 
-	if reqHasEdns {
-		attachEDE(resp, edeCodeFor(dnsErr), edeText(dnsErr))
-	}
-
 	f.writeResponse(logger, w, resp, domain, startTime)
 }
 
@@ -428,33 +414,3 @@ func (f *DNSForwarder) getMatchingEntries(domain string) (route.ResID, []*Forwar
 
 	return selectedResId, matches
 }
-
-// edeCodeFor maps an upstream lookup error to the NetBird EDE info code.
-func edeCodeFor(dnsErr *net.DNSError) uint16 {
-	if dnsErr != nil && dnsErr.IsTimeout {
-		return edeNetbirdUpstreamTimeout
-	}
-	return edeNetbirdUpstreamFailure
-}
-
-// edeText builds the EDE extra-text describing the class of upstream failure.
-// It deliberately omits the upstream server address, which may be an internal
-// resolver and is exposed to any client permitted to use the route; the full
-// detail stays in the forwarder's local log.
-func edeText(dnsErr *net.DNSError) string {
-	if dnsErr != nil && dnsErr.IsTimeout {
-		return "netbird forwarder: upstream timeout"
-	}
-	return "netbird forwarder: upstream failure"
-}
-
-// attachEDE adds an Extended DNS Error (RFC 8914) option to the response,
-// creating the OPT pseudo-record if the response does not already carry one.
-func attachEDE(resp *dns.Msg, code uint16, text string) {
-	opt := resp.IsEdns0()
-	if opt == nil {
-		resp.SetEdns0(dns.DefaultMsgSize, false)
-		opt = resp.IsEdns0()
-	}
-	opt.Option = append(opt.Option, &dns.EDNS0_EDE{InfoCode: code, ExtraText: text})
-}

client/internal/dnsfwd/forwarder_test.go

@@ -16,7 +16,6 @@ import (
 	"github.com/stretchr/testify/require"
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/internal/dns/resutil"
 	"github.com/netbirdio/netbird/client/internal/dns/test"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/route"
@@ -618,85 +617,6 @@ func TestDNSForwarder_ResponseCodes(t *testing.T) {
 	}
 }
 
-func TestDNSForwarder_UpstreamFailureEDE(t *testing.T) {
-	tests := []struct {
-		name        string
-		lookupErr   error
-		reqEdns     bool
-		wantEDE     bool
-		wantCode    uint16
-		wantTextHas string
-	}{
-		{
-			name:        "timeout with edns0",
-			lookupErr:   &net.DNSError{Err: "i/o timeout", Server: "10.0.0.53:53", IsTimeout: true},
-			reqEdns:     true,
-			wantEDE:     true,
-			wantCode:    edeNetbirdUpstreamTimeout,
-			wantTextHas: "netbird forwarder: upstream timeout",
-		},
-		{
-			name:        "server failure with edns0",
-			lookupErr:   &net.DNSError{Err: "server misbehaving", Server: "10.0.0.53:53"},
-			reqEdns:     true,
-			wantEDE:     true,
-			wantCode:    edeNetbirdUpstreamFailure,
-			wantTextHas: "netbird forwarder: upstream failure",
-		},
-		{
-			name:      "no edns0 in request omits ede",
-			lookupErr: &net.DNSError{Err: "server misbehaving", Server: "10.0.0.53:53"},
-			reqEdns:   false,
-			wantEDE:   false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			mockResolver := &MockResolver{}
-			forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
-			forwarder.resolver = mockResolver
-
-			d, err := domain.FromString("example.com")
-			require.NoError(t, err)
-			forwarder.UpdateDomains([]*ForwarderEntry{{Domain: d, ResID: "test-res"}})
-
-			mockResolver.On("LookupNetIP", mock.Anything, "ip4", "example.com.").
-				Return([]netip.Addr(nil), tt.lookupErr).Once()
-
-			query := &dns.Msg{}
-			query.SetQuestion("example.com.", dns.TypeA)
-			if tt.reqEdns {
-				query.SetEdns0(dns.DefaultMsgSize, false)
-			}
-
-			var writtenResp *dns.Msg
-			mockWriter := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					writtenResp = m
-					return nil
-				},
-			}
-
-			forwarder.handleDNSQuery(log.NewEntry(log.StandardLogger()), mockWriter, query, time.Now())
-			mockResolver.AssertExpectations(t)
-
-			require.NotNil(t, writtenResp, "expected a response")
-			assert.Equal(t, dns.RcodeServerFailure, writtenResp.Rcode, "upstream failure must be SERVFAIL")
-
-			ede, ok := resutil.ExtractEDE(writtenResp)
-			if !tt.wantEDE {
-				assert.False(t, ok, "response must not carry EDE")
-				return
-			}
-			require.True(t, ok, "response must carry EDE")
-			assert.Equal(t, tt.wantCode, ede.InfoCode, "EDE info code")
-			assert.Contains(t, ede.ExtraText, tt.wantTextHas, "EDE extra-text")
-			assert.NotContains(t, ede.ExtraText, "10.0.0.53", "must not leak upstream server address")
-		})
-	}
-}
-
 func TestDNSForwarder_TCPTruncation(t *testing.T) {
 	// Test that large UDP responses are truncated with TC bit set
 	mockResolver := &MockResolver{}

client/internal/engine.go

@@ -82,18 +82,10 @@ const (
 	PeerConnectionTimeoutMax = 45000 // ms
 	PeerConnectionTimeoutMin = 30000 // ms
 	disableAutoUpdate        = "disabled"
-
-	// systemInfoTimeout bounds how long the sync loop waits for system info / posture
-	// check gathering. The gathering runs uncancellable system calls (process scan,
-	// exec, os.Stat); without this bound a single stuck call freezes handleSync, and
-	// thus syncMsgMux, for as long as the call hangs (observed multi-minute freezes).
-	systemInfoTimeout = 15 * time.Second
 )
 
 var ErrResetConnection = fmt.Errorf("reset connection")
 
-var ErrEngineAlreadyStarted = errors.New("engine already started")
-
 type EngineConfig struct {
 	WgPort      int
 	WgIfaceName string
@@ -207,8 +199,6 @@ type Engine struct {
 	ctx    context.Context
 	cancel context.CancelFunc
 
-	started bool
-
 	wgInterface WGIface
 
 	udpMux *udpmux.UniversalUDPMuxDefault
@@ -289,15 +279,9 @@ func NewEngine(
 	services EngineServices,
 	mobileDep MobileDependency,
 ) *Engine {
-	// The engine is single-use: a fresh instance is built per connection
-	// cycle (see Client.run), so the run context is created once here rather
-	// than in Start.
-	ctx, cancel := context.WithCancel(clientCtx)
 	engine := &Engine{
 		clientCtx:          clientCtx,
 		clientCancel:       clientCancel,
-		ctx:                ctx,
-		cancel:             cancel,
 		signal:             services.SignalClient,
 		signaler:           peer.NewSignaler(services.SignalClient, config.WgPrivateKey),
 		mgmClient:          services.MgmClient,
@@ -330,34 +314,8 @@ func (e *Engine) Stop() error {
 		log.Debugf("tried stopping engine that is nil")
 		return nil
 	}
-	e.cancel()
 	e.syncMsgMux.Lock()
 
-	e.stopLocked()
-
-	e.syncMsgMux.Unlock()
-
-	timeout := e.calculateShutdownTimeout()
-	log.Debugf("waiting for goroutines to finish with timeout: %v", timeout)
-	shutdownCtx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	if err := waitWithContext(shutdownCtx, &e.shutdownWg); err != nil {
-		log.Warnf("shutdown timeout exceeded after %v, some goroutines may still be running", timeout)
-	}
-
-	log.Infof("stopped Netbird Engine")
-
-	return nil
-}
-
-// stopLocked tears down everything Start may have brought up, in the order
-// teardown requires (DNS before the interface goes down, flow manager after).
-// The caller must hold syncMsgMux. It is shared by Stop and by Start's failure
-// path, so a partially-initialized engine is cleaned up the same way; every
-// step is nil-guarded. It does not wait on shutdownWg — the caller does that
-// after releasing the lock, since the goroutines also take syncMsgMux.
-func (e *Engine) stopLocked() {
 	if e.connMgr != nil {
 		e.connMgr.Close()
 	}
@@ -408,6 +366,10 @@ func (e *Engine) stopLocked() {
 	// so dbus and friends don't complain because of a missing interface
 	e.stopDNSServer()
 
+	if e.cancel != nil {
+		e.cancel()
+	}
+
 	e.jobExecutorWG.Wait() // block until job goroutines finish
 
 	e.close()
@@ -426,6 +388,21 @@ func (e *Engine) stopLocked() {
 	if err := e.stateManager.PersistState(context.Background()); err != nil {
 		log.Errorf("failed to persist state: %v", err)
 	}
+
+	e.syncMsgMux.Unlock()
+
+	timeout := e.calculateShutdownTimeout()
+	log.Debugf("waiting for goroutines to finish with timeout: %v", timeout)
+	shutdownCtx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	if err := waitWithContext(shutdownCtx, &e.shutdownWg); err != nil {
+		log.Warnf("shutdown timeout exceeded after %v, some goroutines may still be running", timeout)
+	}
+
+	log.Infof("stopped Netbird Engine")
+
+	return nil
 }
 
 // calculateShutdownTimeout returns shutdown timeout: 10s base + 100ms per peer, capped at 30s.
@@ -463,38 +440,18 @@ func waitWithContext(ctx context.Context, wg *sync.WaitGroup) error {
 // Start creates a new WireGuard tunnel interface and listens to events from Signal and Management services
 // Connections to remote peers are not established here.
 // However, they will be established once an event with a list of peers to connect to will be received from Management Service
-func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL) (err error) {
+func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL) error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
 
-	// The engine is single-use. Reject a duplicate start and a start on an
-	// already-stopped engine (run context cancelled).
-	if e.started {
-		return ErrEngineAlreadyStarted
-	}
-
-	if ctxErr := e.ctx.Err(); ctxErr != nil {
-		return fmt.Errorf("engine already stopped: %w", ctxErr)
-	}
-
-	e.started = true
-
-	// Tear down any partially-initialized state on a failed start. Cancel the
-	// run context first so goroutines started before the failure (connMgr,
-	// srWatcher, monitors) unwind, then stopLocked mirrors Stop's teardown (we
-	// already hold syncMsgMux), cleaning up route/DNS/flow/state managers too,
-	// not just what close() covers.
-	defer func() {
-		if err != nil {
-			e.cancel()
-			e.stopLocked()
-		}
-	}()
-
-	if err = iface.ValidateMTU(e.config.MTU); err != nil {
+	if err := iface.ValidateMTU(e.config.MTU); err != nil {
 		return fmt.Errorf("invalid MTU configuration: %w", err)
 	}
 
+	if e.cancel != nil {
+		e.cancel()
+	}
+	e.ctx, e.cancel = context.WithCancel(e.clientCtx)
 	e.exposeManager = expose.NewManager(e.ctx, e.mgmClient)
 
 	wgIface, err := e.newWgIface()
@@ -528,11 +485,13 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 
 	initialRoutes, dnsConfig, dnsFeatureFlag, err := e.readInitialSettings()
 	if err != nil {
+		e.close()
 		return fmt.Errorf("read initial settings: %w", err)
 	}
 
 	dnsServer, err := e.newDnsServer(dnsConfig)
 	if err != nil {
+		e.close()
 		return fmt.Errorf("create dns server: %w", err)
 	}
 	e.dnsServer = dnsServer
@@ -567,6 +526,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 
 	if err = e.wgInterfaceCreate(); err != nil {
 		log.Errorf("failed creating tunnel interface %s: [%s]", e.config.WgIfaceName, err.Error())
+		e.close()
 		return fmt.Errorf("create wg interface: %w", err)
 	}
 
@@ -575,6 +535,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	}
 
 	if err := e.createFirewall(); err != nil {
+		e.close()
 		return err
 	}
 
@@ -586,6 +547,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	e.udpMux, err = e.wgInterface.Up()
 	if err != nil {
 		log.Errorf("failed to pull up wgInterface [%s]: %s", e.wgInterface.Name(), err.Error())
+		e.close()
 		return fmt.Errorf("up wg interface: %w", err)
 	}
 
@@ -610,7 +572,9 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 		e.acl = acl.NewDefaultManager(e.firewall)
 	}
 
-	if err := e.dnsServer.Initialize(); err != nil {
+	err = e.dnsServer.Initialize()
+	if err != nil {
+		e.close()
 		return fmt.Errorf("initialize dns server: %w", err)
 	}
 
@@ -622,9 +586,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	e.srWatcher = guard.NewSRWatcher(e.signal, e.relayManager, e.mobileDep.IFaceDiscover, iceCfg)
 	e.srWatcher.Start(peer.IsForceRelayed())
 
-	if err = e.receiveSignalEvents(); err != nil {
-		return err
-	}
+	e.receiveSignalEvents()
 	e.receiveManagementEvents()
 	e.receiveJobEvents()
 
@@ -676,6 +638,7 @@ func (e *Engine) createFirewall() error {
 
 func (e *Engine) initFirewall() error {
 	if err := e.routeManager.SetFirewall(e.firewall); err != nil {
+		e.close()
 		return fmt.Errorf("set firewall: %w", err)
 	}
 
@@ -1072,23 +1035,11 @@ func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
 	}
 	e.checks = checks
 
-	info, ok := system.GetInfoWithChecksTimeout(e.ctx, systemInfoTimeout, checks)
-	if !ok {
-		// Gathering timed out; skip the meta sync this cycle rather than blocking the
-		// sync loop (and syncMsgMux) on a stuck system call. A later sync will retry.
-		return nil
+	info, err := system.GetInfoWithChecks(e.ctx, checks)
+	if err != nil {
+		log.Warnf("failed to get system info with checks: %v", err)
+		info = system.GetInfo(e.ctx)
 	}
-	e.applyInfoFlags(info)
-
-	if err := e.mgmClient.SyncMeta(info); err != nil {
-		log.Errorf("could not sync meta: error %s", err)
-		return err
-	}
-	return nil
-}
-
-// applyInfoFlags sets the engine's config-derived feature flags on the gathered system info.
-func (e *Engine) applyInfoFlags(info *system.Info) {
 	info.SetFlags(
 		e.config.RosenpassEnabled,
 		e.config.RosenpassPermissive,
@@ -1107,6 +1058,12 @@ func (e *Engine) applyInfoFlags(info *system.Info) {
 		e.config.EnableSSHRemotePortForwarding,
 		e.config.DisableSSHAuth,
 	)
+
+	if err := e.mgmClient.SyncMeta(info); err != nil {
+		log.Errorf("could not sync meta: error %s", err)
+		return err
+	}
+	return nil
 }
 
 func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
@@ -1252,15 +1209,31 @@ func (e *Engine) receiveManagementEvents() {
 	e.shutdownWg.Add(1)
 	go func() {
 		defer e.shutdownWg.Done()
-		info, ok := system.GetInfoWithChecksTimeout(e.ctx, systemInfoTimeout, e.checks)
-		if !ok {
-			// Gathering timed out; connect the stream with base info so management
-			// connectivity still comes up rather than blocking here.
+		info, err := system.GetInfoWithChecks(e.ctx, e.checks)
+		if err != nil {
+			log.Warnf("failed to get system info with checks: %v", err)
 			info = system.GetInfo(e.ctx)
 		}
-		e.applyInfoFlags(info)
+		info.SetFlags(
+			e.config.RosenpassEnabled,
+			e.config.RosenpassPermissive,
+			&e.config.ServerSSHAllowed,
+			e.config.DisableClientRoutes,
+			e.config.DisableServerRoutes,
+			e.config.DisableDNS,
+			e.config.DisableFirewall,
+			e.config.BlockLANAccess,
+			e.config.BlockInbound,
+			e.config.DisableIPv6,
+			e.config.LazyConnectionEnabled,
+			e.config.EnableSSHRoot,
+			e.config.EnableSSHSFTP,
+			e.config.EnableSSHLocalPortForwarding,
+			e.config.EnableSSHRemotePortForwarding,
+			e.config.DisableSSHAuth,
+		)
 
-		err := e.mgmClient.Sync(e.ctx, info, e.handleSync)
+		err = e.mgmClient.Sync(e.ctx, info, e.handleSync)
 		if err != nil {
 			// happens if management is unavailable for a long time.
 			// We want to cancel the operation of the whole client
@@ -1725,7 +1698,7 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV
 }
 
 // receiveSignalEvents connects to the Signal Service event stream to negotiate connection with remote peers
-func (e *Engine) receiveSignalEvents() error {
+func (e *Engine) receiveSignalEvents() {
 	e.shutdownWg.Add(1)
 	go func() {
 		defer e.shutdownWg.Done()
@@ -1741,13 +1714,6 @@ func (e *Engine) receiveSignalEvents() error {
 				return e.ctx.Err()
 			}
 
-			// Self-addressed heartbeat: the signal client's receive watchdog
-			// round-trips this through the server to confirm the receive stream
-			// is delivering. Liveness is already recorded before this handler.
-			if msg.GetBody().GetType() == sProto.Body_HEARTBEAT {
-				return nil
-			}
-
 			conn, ok := e.peerStore.PeerConn(msg.Key)
 			if !ok {
 				return fmt.Errorf("wrongly addressed message %s", msg.Key)
@@ -1796,12 +1762,7 @@ func (e *Engine) receiveSignalEvents() error {
 		}
 	}()
 
-	// todo: consider to remove this blocker. I do not see benefit to block the Start operations
-	e.signal.WaitStreamConnected(e.ctx)
-	if err := e.ctx.Err(); err != nil {
-		return fmt.Errorf("wait for signal stream: %w", err)
-	}
-	return nil
+	e.signal.WaitStreamConnected()
 }
 
 func (e *Engine) parseNATExternalIPMappings() []string {

client/internal/engine_test.go

@@ -247,7 +247,7 @@ func TestEngine_SSH(t *testing.T) {
 		return
 	}
 
-	ctx, cancel := context.WithCancel(CtxInitState(context.Background()))
+	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
 	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
@@ -426,7 +426,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 		return
 	}
 
-	ctx, cancel := context.WithCancel(CtxInitState(context.Background()))
+	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
 	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
@@ -638,7 +638,7 @@ func TestEngine_Sync(t *testing.T) {
 		return
 	}
 
-	ctx, cancel := context.WithCancel(CtxInitState(context.Background()))
+	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
 	// feed updates to Engine via mocked Management client
@@ -817,7 +817,7 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 				return
 			}
 
-			ctx, cancel := context.WithCancel(CtxInitState(context.Background()))
+			ctx, cancel := context.WithCancel(context.Background())
 			defer cancel()
 
 			wgIfaceName := fmt.Sprintf("utun%d", 104+n)
@@ -1024,7 +1024,7 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 				return
 			}
 
-			ctx, cancel := context.WithCancel(CtxInitState(context.Background()))
+			ctx, cancel := context.WithCancel(context.Background())
 			defer cancel()
 
 			wgIfaceName := fmt.Sprintf("utun%d", 104+n)

client/internal/profilemanager/config.go

@@ -108,10 +108,6 @@ type ConfigInput struct {
 
 // Config Configuration type
 type Config struct {
-	// Name is the human-readable profile name shown in CLI/UI listings.
-	// It is independent of the profile's on-disk filename (which is the ID).
-	Name string
-
 	// Wireguard private key of local peer
 	PrivateKey                    string
 	PreSharedKey                  string
@@ -274,16 +270,6 @@ func createNewConfig(input ConfigInput) (*Config, error) {
 }
 
 func (config *Config) apply(input ConfigInput) (updated bool, err error) {
-	if config.Name != "" {
-		sanitized, err := sanitizeDisplayName(config.Name)
-		if err != nil {
-			return false, fmt.Errorf("invalid profile name: %w", err)
-		}
-		if sanitized != config.Name {
-			config.Name = sanitized
-			updated = true
-		}
-	}
 	if config.ManagementURL == nil {
 		log.Infof("using default Management URL %s", DefaultManagementURL)
 		config.ManagementURL, err = parseURL("Management URL", DefaultManagementURL)

client/internal/profilemanager/id.go

@@ -1,118 +0,0 @@
-package profilemanager
-
-import (
-	"crypto/rand"
-	"encoding/hex"
-	"fmt"
-	"path/filepath"
-	"strings"
-	"unicode"
-	"unicode/utf8"
-)
-
-const (
-	// profileIDByteLen is the number of random bytes generated for a new
-	// profile ID. The resulting hex string is twice this length.
-	profileIDByteLen = 16
-
-	// shortIDLen is the number of leading characters of an ID we render in
-	// list output. Profiles per device are few, so 8 chars is collision-safe
-	// in practice and easy to type as a prefix.
-	shortIDLen = 8
-
-	// maxProfileNameLen caps the human-readable profile name to keep table
-	// output legible and prevent denial-of-service via huge JSON fields.
-	maxProfileNameLen = 128
-
-	// maxProfileIDLen bounds the on-disk filename we'll accept. New
-	// IDs are 32 hex chars, legacy stems are sanitized profile names. The
-	// cap is generous enough to cover both without permitting absurdly
-	// long filenames.
-	maxProfileIDLen = 64
-)
-
-type ID string
-
-// generateProfileID returns a new random hex ID for a profile file.
-func generateProfileID() (ID, error) {
-	buf := make([]byte, profileIDByteLen)
-	if _, err := rand.Read(buf); err != nil {
-		return "", fmt.Errorf("read random bytes: %w", err)
-	}
-	return ID(hex.EncodeToString(buf)), nil
-}
-
-// IsValidProfileFilenameStem reports whether id is safe to use as the stem
-// of a profile JSON filename.
-func IsValidProfileFilenameStem(id ID) bool {
-	s := id.String()
-	if s == "" || len(s) > maxProfileIDLen {
-		return false
-	}
-	if s == defaultProfileName {
-		return true
-	}
-	if strings.ContainsAny(s, `/\`) || strings.Contains(s, "..") {
-		return false
-	}
-	// filepath.Base catches any leftover separators on platforms with
-	// exotic path conventions.
-	if filepath.Base(s) != s {
-		return false
-	}
-	for _, r := range s {
-		if !(unicode.IsLetter(r) || unicode.IsDigit(r) || r == '_' || r == '-') {
-			return false
-		}
-	}
-	return true
-}
-
-// sanitizeDisplayName normalizes a user-supplied profile display name for
-// storage. It strips ASCII control characters, rejects invalid UTF-8, and
-// caps the length. Emojis, spaces, punctuation, and non-ASCII letters are
-// preserved. Returns an error if nothing usable remains.
-func sanitizeDisplayName(name string) (string, error) {
-	if !utf8.ValidString(name) {
-		return "", fmt.Errorf("name is not valid UTF-8")
-	}
-	name = StripCtrlChars(name)
-	name = strings.TrimSpace(name)
-	if name == "" {
-		return "", fmt.Errorf("name is empty after sanitization")
-	}
-	if utf8.RuneCountInString(name) > maxProfileNameLen {
-		return "", fmt.Errorf("name exceeds %d characters", maxProfileNameLen)
-	}
-	return name, nil
-}
-
-// StripCtrlChars control characters from a name before printing it.
-func StripCtrlChars(name string) string {
-	var b strings.Builder
-	b.Grow(len(name))
-	for _, r := range name {
-		// Skip C0 controls and DEL, plus C1 controls (0x80–0x9F).
-		if r < 0x20 || r == 0x7F || (r >= 0x80 && r <= 0x9F) {
-			continue
-		}
-		b.WriteRune(r)
-	}
-	return b.String()
-}
-
-// ShortID truncates an ID for display.
-func (id ID) ShortID() string {
-	if id == DefaultProfileName {
-		return DefaultProfileName
-	}
-	runes := []rune(id)
-	if len(runes) <= shortIDLen {
-		return id.String()
-	}
-	return string(runes[:shortIDLen])
-}
-
-func (id ID) String() string {
-	return string(id)
-}

client/internal/profilemanager/profilemanager.go

@@ -19,41 +19,19 @@ const (
 )
 
 type Profile struct {
-	// ID is the on-disk filename stem (without .json). For new profiles
-	// it is a 32-char hex string; legacy profiles created before the
-	// ID-keyed layout keep their original name as their ID. The reserved
-	// value "default" identifies the special default profile.
-	ID ID
-	// Name is the human-readable display name. Falls back to ID when the
-	// underlying JSON has no "name" field set.
-	Name string
-	// Path is the absolute path to the profile JSON. Populated by the
-	// loader so callers do not have to reconstruct it from ID + dir.
-	Path     string
+	Name     string
 	IsActive bool
 }
 
 func (p *Profile) FilePath() (string, error) {
-	if p.Path != "" {
-		return p.Path, nil
+	if p.Name == "" {
+		return "", fmt.Errorf("active profile name is empty")
 	}
 
-	id := p.ID
-	if id == "" {
-		id = ID(p.Name)
-	}
-	if id == "" {
-		return "", fmt.Errorf("profile ID is empty")
-	}
-
-	if id == defaultProfileName {
+	if p.Name == defaultProfileName {
 		return DefaultConfigPath, nil
 	}
 
-	if !IsValidProfileFilenameStem(id) {
-		return "", fmt.Errorf("invalid profile ID: %q", id)
-	}
-
 	username, err := user.Current()
 	if err != nil {
 		return "", fmt.Errorf("failed to get current user: %w", err)
@@ -64,13 +42,10 @@ func (p *Profile) FilePath() (string, error) {
 		return "", fmt.Errorf("failed to get config directory for user %s: %w", username.Username, err)
 	}
 
-	return filepath.Join(configDir, id.String()+".json"), nil
+	return filepath.Join(configDir, p.Name+".json"), nil
 }
 
 func (p *Profile) IsDefault() bool {
-	if p.ID != "" {
-		return p.ID == defaultProfileName
-	}
 	return p.Name == defaultProfileName
 }
 
@@ -82,24 +57,18 @@ func NewProfileManager() *ProfileManager {
 	return &ProfileManager{}
 }
 
-// GetActiveProfile returns the active profile as recorded in the local
-// user state file. Only ID is populated.
 func (pm *ProfileManager) GetActiveProfile() (*Profile, error) {
 	pm.mu.Lock()
 	defer pm.mu.Unlock()
 
-	id := pm.getActiveProfileState()
-	return &Profile{ID: id}, nil
+	prof := pm.getActiveProfileState()
+	return &Profile{Name: prof}, nil
 }
 
-// SwitchProfile records the given profile ID as active in the local user
-// state file.
-func (pm *ProfileManager) SwitchProfile(id ID) error {
-	if id != defaultProfileName && !IsValidProfileFilenameStem(id) {
-		return fmt.Errorf("invalid profile ID: %q", id)
-	}
+func (pm *ProfileManager) SwitchProfile(profileName string) error {
+	profileName = sanitizeProfileName(profileName)
 
-	if err := pm.setActiveProfileState(id); err != nil {
+	if err := pm.setActiveProfileState(profileName); err != nil {
 		return fmt.Errorf("failed to switch profile: %w", err)
 	}
 	return nil
@@ -116,7 +85,7 @@ func sanitizeProfileName(name string) string {
 	}, name)
 }
 
-func (pm *ProfileManager) getActiveProfileState() ID {
+func (pm *ProfileManager) getActiveProfileState() string {
 
 	configDir, err := getConfigDir()
 	if err != nil {
@@ -144,10 +113,10 @@ func (pm *ProfileManager) getActiveProfileState() ID {
 		return defaultProfileName
 	}
 
-	return ID(profileName)
+	return profileName
 }
 
-func (pm *ProfileManager) setActiveProfileState(id ID) error {
+func (pm *ProfileManager) setActiveProfileState(profileName string) error {
 
 	configDir, err := getConfigDir()
 	if err != nil {
@@ -156,7 +125,7 @@ func (pm *ProfileManager) setActiveProfileState(id ID) error {
 
 	statePath := filepath.Join(configDir, activeProfileStateFilename)
 
-	err = os.WriteFile(statePath, []byte(id), 0600)
+	err = os.WriteFile(statePath, []byte(profileName), 0600)
 	if err != nil {
 		return fmt.Errorf("failed to write active profile state: %w", err)
 	}
@@ -173,7 +142,7 @@ func GetLoginHint() string {
 		return ""
 	}
 
-	profileState, err := pm.GetProfileState(activeProf.ID)
+	profileState, err := pm.GetProfileState(activeProf.Name)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 		return ""

client/internal/profilemanager/profilemanager_test.go

@@ -50,14 +50,14 @@ func TestServiceManager_CreateAndGetDefaultProfile(t *testing.T) {
 
 			state, err := sm.GetActiveProfileState()
 			assert.NoError(t, err)
-			assert.Equal(t, defaultProfileName, state.ID.String()) // No active profile state yet
+			assert.Equal(t, state.Name, defaultProfileName) // No active profile state yet
 
 			err = sm.SetActiveProfileStateToDefault()
 			assert.NoError(t, err)
 
 			active, err := sm.GetActiveProfileState()
 			assert.NoError(t, err)
-			assert.Equal(t, "default", active.ID.String())
+			assert.Equal(t, "default", active.Name)
 		})
 	})
 }
@@ -92,14 +92,14 @@ func TestServiceManager_SetActiveProfileState(t *testing.T) {
 			currUser, err := user.Current()
 			assert.NoError(t, err)
 			sm := &ServiceManager{}
-			state := &ActiveProfileState{ID: "foo", Username: currUser.Username}
+			state := &ActiveProfileState{Name: "foo", Username: currUser.Username}
 			err = sm.SetActiveProfileState(state)
 			assert.NoError(t, err)
 
 			// Should error on nil or incomplete state
 			err = sm.SetActiveProfileState(nil)
 			assert.Error(t, err)
-			err = sm.SetActiveProfileState(&ActiveProfileState{ID: "", Username: ""})
+			err = sm.SetActiveProfileState(&ActiveProfileState{Name: "", Username: ""})
 			assert.Error(t, err)
 		})
 	})

client/internal/profilemanager/service.go

@@ -2,7 +2,6 @@ package profilemanager
 
 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -24,43 +23,12 @@ var (
 	DefaultConfigPathDir   = ""
 	DefaultConfigPath      = ""
 	ActiveProfileStatePath = ""
+)
 
+var (
 	ErrorOldDefaultConfigNotFound = errors.New("old default config not found")
 )
 
-// ErrAmbiguousHandle is returned when a profile handle (ID prefix or name)
-// matches more than one profile. Callers can render Candidates to help the
-// user disambiguate.
-type ErrAmbiguousHandle struct {
-	Handle     string
-	Candidates []Profile
-	Kind       AmbiguityKind
-}
-
-// AmbiguityKind describes which matcher produced the ambiguity, so callers
-// can tailor the error message.
-type AmbiguityKind int
-
-const (
-	AmbiguityKindIDPrefix AmbiguityKind = iota
-	AmbiguityKindName
-)
-
-// profileMeta is the minimal slice of a profile JSON we need, so we avoid
-// reading all fields
-type profileMeta struct {
-	Name string
-}
-
-func (e *ErrAmbiguousHandle) Error() string {
-	switch e.Kind {
-	case AmbiguityKindIDPrefix:
-		return fmt.Sprintf("ID prefix %q is ambiguous (matches %d profiles)", e.Handle, len(e.Candidates))
-	default:
-		return fmt.Sprintf("name %q is ambiguous (%d profiles share this name)", e.Handle, len(e.Candidates))
-	}
-}
-
 func init() {
 
 	DefaultConfigPathDir = "/var/lib/netbird/"
@@ -86,34 +54,25 @@ func init() {
 }
 
 type ActiveProfileState struct {
-	// ID is the on-disk filename stem of the active profile. The JSON tag stays
-	// as "name" for backwards compatibility with active state files written
-	// before the ID-based config files. Legacy values were profile names, which
-	// were also the legacy filename stems, so they still resolve to the correct
-	// file on disk.
-	ID       ID     `json:"name"`
+	Name     string `json:"name"`
 	Username string `json:"username"`
 }
 
 func (a *ActiveProfileState) FilePath() (string, error) {
-	if a.ID == "" {
-		return "", fmt.Errorf("active profile ID is empty")
+	if a.Name == "" {
+		return "", fmt.Errorf("active profile name is empty")
 	}
 
-	if a.ID == defaultProfileName {
+	if a.Name == defaultProfileName {
 		return DefaultConfigPath, nil
 	}
 
-	if !IsValidProfileFilenameStem(a.ID) {
-		return "", fmt.Errorf("invalid profile ID: %q", a.ID)
-	}
-
 	configDir, err := getConfigDirForUser(a.Username)
 	if err != nil {
 		return "", fmt.Errorf("failed to get config directory for user %s: %w", a.Username, err)
 	}
 
-	return filepath.Join(configDir, a.ID.String()+".json"), nil
+	return filepath.Join(configDir, a.Name+".json"), nil
 }
 
 type ServiceManager struct {
@@ -219,7 +178,7 @@ func (s *ServiceManager) GetActiveProfileState() (*ActiveProfileState, error) {
 				return nil, fmt.Errorf("failed to set active profile to default: %w", err)
 			}
 			return &ActiveProfileState{
-				ID:       defaultProfileName,
+				Name:     "default",
 				Username: "",
 			}, nil
 		} else {
@@ -227,12 +186,12 @@ func (s *ServiceManager) GetActiveProfileState() (*ActiveProfileState, error) {
 		}
 	}
 
-	if activeProfile.ID == "" {
+	if activeProfile.Name == "" {
 		if err := s.SetActiveProfileStateToDefault(); err != nil {
 			return nil, fmt.Errorf("failed to set active profile to default: %w", err)
 		}
 		return &ActiveProfileState{
-			ID:       defaultProfileName,
+			Name:     "default",
 			Username: "",
 		}, nil
 	}
@@ -257,29 +216,25 @@ func (s *ServiceManager) setDefaultActiveState() error {
 }
 
 func (s *ServiceManager) SetActiveProfileState(a *ActiveProfileState) error {
-	if a == nil || a.ID == "" {
+	if a == nil || a.Name == "" {
 		return errors.New("invalid active profile state")
 	}
 
-	if a.ID != defaultProfileName && a.Username == "" {
-		return fmt.Errorf("username must be set for non-default profiles, got: %s", a.ID)
-	}
-
-	if a.ID != defaultProfileName && !IsValidProfileFilenameStem(a.ID) {
-		return fmt.Errorf("invalid profile ID: %q", a.ID)
+	if a.Name != defaultProfileName && a.Username == "" {
+		return fmt.Errorf("username must be set for non-default profiles, got: %s", a.Name)
 	}
 
 	if err := util.WriteJsonWithRestrictedPermission(context.Background(), ActiveProfileStatePath, a); err != nil {
 		return fmt.Errorf("failed to write active profile state: %w", err)
 	}
 
-	log.Infof("active profile set to %s for %s", a.ID, a.Username)
+	log.Infof("active profile set to %s for %s", a.Name, a.Username)
 	return nil
 }
 
 func (s *ServiceManager) SetActiveProfileStateToDefault() error {
 	return s.SetActiveProfileState(&ActiveProfileState{
-		ID:       defaultProfileName,
+		Name:     "default",
 		Username: "",
 	})
 }
@@ -288,117 +243,57 @@ func (s *ServiceManager) DefaultProfilePath() string {
 	return DefaultConfigPath
 }
 
-// AddProfile creates a new profile with a generated ID. The user-supplied
-// displayName is stored inside the JSON's name field, the on-disk filename
-// uses the generated ID.
-//
-// The returned Profile carries the freshly-generated ID so callers can
-// show it to the user (and so the gRPC AddProfileResponse can include
-// it).
-func (s *ServiceManager) AddProfile(displayName, username string) (*Profile, error) {
+func (s *ServiceManager) AddProfile(profileName, username string) error {
 	configDir, err := s.getConfigDir(username)
 	if err != nil {
-		return nil, fmt.Errorf("failed to get config directory: %w", err)
+		return fmt.Errorf("failed to get config directory: %w", err)
 	}
 
-	displayName, err = sanitizeDisplayName(displayName)
+	profileName = sanitizeProfileName(profileName)
+
+	if profileName == defaultProfileName {
+		return fmt.Errorf("cannot create profile with reserved name: %s", defaultProfileName)
+	}
+
+	profPath := filepath.Join(configDir, profileName+".json")
+	profileExists, err := fileExists(profPath)
 	if err != nil {
-		return nil, fmt.Errorf("invalid profile name: %w", err)
+		return fmt.Errorf("failed to check if profile exists: %w", err)
+	}
+	if profileExists {
+		return ErrProfileAlreadyExists
 	}
 
-	id, err := generateProfileID()
-	if err != nil {
-		return nil, fmt.Errorf("generate profile id: %w", err)
-	}
-
-	profPath := filepath.Join(configDir, id.String()+".json")
 	cfg, err := createNewConfig(ConfigInput{ConfigPath: profPath})
 	if err != nil {
-		return nil, fmt.Errorf("failed to create new config: %w", err)
-	}
-	cfg.Name = displayName
-
-	if err := util.WriteJson(context.Background(), profPath, cfg); err != nil {
-		return nil, fmt.Errorf("failed to write profile config: %w", err)
+		return fmt.Errorf("failed to create new config: %w", err)
 	}
 
-	return &Profile{
-		ID:   id,
-		Name: displayName,
-		Path: profPath,
-	}, nil
-}
-
-func (s *ServiceManager) RenameProfile(id ID, username string, newName string) error {
-	displayName, err := sanitizeDisplayName(newName)
+	err = util.WriteJson(context.Background(), profPath, cfg)
 	if err != nil {
-		return fmt.Errorf("invalid profile name: %w", err)
+		return fmt.Errorf("failed to write profile config: %w", err)
 	}
 
-	if !IsValidProfileFilenameStem(id) {
-		return fmt.Errorf("invalid profile ID: %q", id)
-	}
-
-	profiles, err := s.loadAllProfiles(username)
-	if err != nil {
-		return fmt.Errorf("load profiles: %w", err)
-	}
-
-	var target *Profile
-	for i := range profiles {
-		if profiles[i].ID == id {
-			target = &profiles[i]
-			break
-		}
-	}
-	if target == nil {
-		return ErrProfileNotFound
-	}
-
-	data, err := os.ReadFile(target.Path)
-	if err != nil {
-		return err
-	}
-	var cfg Config
-	if err := json.Unmarshal(data, &cfg); err != nil {
-		return err
-	}
-	cfg.Name = displayName
-
-	if err := util.WriteJson(context.Background(), target.Path, cfg); err != nil {
-		return fmt.Errorf("failed to write profile name: %w", err)
-	}
 	return nil
 }
 
-// RemoveProfile deletes the profile identified by id. Callers must have
-// already resolved any user-supplied handle to a concrete ID via
-// ResolveProfile.
-func (s *ServiceManager) RemoveProfile(id ID, username string) error {
-	if id == defaultProfileName {
-		defaultName := readProfileName(DefaultConfigPath)
-		if defaultName == "" {
-			defaultName = defaultProfileName
-		}
-		return fmt.Errorf("cannot remove default profile with name: %s", defaultName)
-	}
-	if !IsValidProfileFilenameStem(id) {
-		return fmt.Errorf("invalid profile ID: %q", id)
-	}
-
-	profiles, err := s.loadAllProfiles(username)
+func (s *ServiceManager) RemoveProfile(profileName, username string) error {
+	configDir, err := s.getConfigDir(username)
 	if err != nil {
-		return fmt.Errorf("load profiles: %w", err)
+		return fmt.Errorf("failed to get config directory: %w", err)
 	}
 
-	var target *Profile
-	for i := range profiles {
-		if profiles[i].ID == id {
-			target = &profiles[i]
-			break
-		}
+	profileName = sanitizeProfileName(profileName)
+
+	if profileName == defaultProfileName {
+		return fmt.Errorf("cannot remove profile with reserved name: %s", defaultProfileName)
 	}
-	if target == nil {
+	profPath := filepath.Join(configDir, profileName+".json")
+	profileExists, err := fileExists(profPath)
+	if err != nil {
+		return fmt.Errorf("failed to check if profile exists: %w", err)
+	}
+	if !profileExists {
 		return ErrProfileNotFound
 	}
 
@@ -406,26 +301,57 @@ func (s *ServiceManager) RemoveProfile(id ID, username string) error {
 	if err != nil && !errors.Is(err, ErrNoActiveProfile) {
 		return fmt.Errorf("failed to get active profile: %w", err)
 	}
-	if activeProf != nil && activeProf.ID == id {
-		return fmt.Errorf("cannot remove active profile: %s", id)
+
+	if activeProf != nil && activeProf.Name == profileName {
+		return fmt.Errorf("cannot remove active profile: %s", profileName)
 	}
 
-	if err := util.RemoveJson(target.Path); err != nil {
+	err = util.RemoveJson(profPath)
+	if err != nil {
 		return fmt.Errorf("failed to remove profile config: %w", err)
 	}
-
-	stateFile := filepath.Join(filepath.Dir(target.Path), id.String()+".state.json")
-	if err := os.Remove(stateFile); err != nil && !os.IsNotExist(err) {
-		log.Warnf("failed to remove profile state file %s: %v", stateFile, err)
-	}
-
 	return nil
 }
 
-// ListProfiles returns every profile for the given user, including the
-// default profile, with IsActive flags set.
 func (s *ServiceManager) ListProfiles(username string) ([]Profile, error) {
-	return s.loadAllProfiles(username)
+	configDir, err := s.getConfigDir(username)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get config directory: %w", err)
+	}
+
+	files, err := util.ListFiles(configDir, "*.json")
+	if err != nil {
+		return nil, fmt.Errorf("failed to list profile files: %w", err)
+	}
+
+	var filtered []string
+	for _, file := range files {
+		if strings.HasSuffix(file, "state.json") {
+			continue // skip state files
+		}
+		filtered = append(filtered, file)
+	}
+	sort.Strings(filtered)
+
+	var activeProfName string
+	activeProf, err := s.GetActiveProfileState()
+	if err == nil {
+		activeProfName = activeProf.Name
+	}
+
+	var profiles []Profile
+	// add default profile always
+	profiles = append(profiles, Profile{Name: defaultProfileName, IsActive: activeProfName == "" || activeProfName == defaultProfileName})
+	for _, file := range filtered {
+		profileName := strings.TrimSuffix(filepath.Base(file), ".json")
+		var isActive bool
+		if activeProfName != "" && activeProfName == profileName {
+			isActive = true
+		}
+		profiles = append(profiles, Profile{Name: profileName, IsActive: isActive})
+	}
+
+	return profiles, nil
 }
 
 // GetStatePath returns the path to the state file based on the operating system
@@ -443,12 +369,7 @@ func (s *ServiceManager) GetStatePath() string {
 		return defaultStatePath
 	}
 
-	if activeProf.ID == defaultProfileName {
-		return defaultStatePath
-	}
-
-	if !IsValidProfileFilenameStem(activeProf.ID) {
-		log.Warnf("invalid active profile ID %q, using default state path", activeProf.ID)
+	if activeProf.Name == defaultProfileName {
 		return defaultStatePath
 	}
 
@@ -458,7 +379,7 @@ func (s *ServiceManager) GetStatePath() string {
 		return defaultStatePath
 	}
 
-	return filepath.Join(configDir, activeProf.ID.String()+".state.json")
+	return filepath.Join(configDir, activeProf.Name+".state.json")
 }
 
 // getConfigDir returns the profiles directory, using profilesDir if set, otherwise getConfigDirForUser
@@ -469,169 +390,3 @@ func (s *ServiceManager) getConfigDir(username string) (string, error) {
 
 	return getConfigDirForUser(username)
 }
-
-// loadAllProfiles returns every profile visible to the daemon for the
-// given user, including the default profile. The returned slice is sorted
-// by ID for a stable display order.
-//
-// Each Profile is fully populated: ID is the filename stem, Name comes
-// from the JSON's "name" field (falling back to the filename stem when absent)
-// and Path is built from a basename read off disk.
-func (s *ServiceManager) loadAllProfiles(username string) ([]Profile, error) {
-	activeID, activeIsDefault := s.activeProfileID()
-	defaultName := readProfileName(DefaultConfigPath)
-	if defaultName == "" {
-		defaultName = defaultProfileName
-	}
-
-	profiles := []Profile{{
-		ID:       defaultProfileName,
-		Name:     defaultName,
-		Path:     DefaultConfigPath,
-		IsActive: activeIsDefault,
-	}}
-
-	configDir, err := s.getConfigDir(username)
-	if err != nil {
-		return nil, fmt.Errorf("get config directory: %w", err)
-	}
-
-	entries, err := os.ReadDir(configDir)
-	if err != nil {
-		if errors.Is(err, os.ErrNotExist) {
-			return profiles, nil
-		}
-		return nil, fmt.Errorf("read profile directory: %w", err)
-	}
-
-	var fileProfiles []Profile
-	for _, entry := range entries {
-		if entry.IsDir() {
-			continue
-		}
-		base := entry.Name()
-		if !strings.HasSuffix(base, ".json") {
-			continue
-		}
-		if strings.HasSuffix(base, ".state.json") {
-			continue
-		}
-		stem := ID(strings.TrimSuffix(base, ".json"))
-		if stem == defaultProfileName {
-			// default lives at the top-level config dir, not under /<user>
-			continue
-		}
-		if !IsValidProfileFilenameStem(ID(stem)) {
-			continue
-		}
-		path := filepath.Join(configDir, base)
-		name := readProfileName(path)
-		if name == "" {
-			name = stem.String()
-		}
-		fileProfiles = append(fileProfiles, Profile{
-			ID:       stem,
-			Name:     name,
-			Path:     path,
-			IsActive: stem == ID(activeID),
-		})
-	}
-
-	sort.Slice(fileProfiles, func(i, j int) bool {
-		if fileProfiles[i].Name != fileProfiles[j].Name {
-			return fileProfiles[i].Name < fileProfiles[j].Name
-		}
-		// Sort tie-break on ID so duplicate names always render in the same order.
-		return fileProfiles[i].ID < fileProfiles[j].ID
-	})
-	profiles = append(profiles, fileProfiles...)
-	return profiles, nil
-}
-
-// readProfileName parses just the "name" field from the profile Json.
-func readProfileName(path string) string {
-	data, err := os.ReadFile(path)
-	if err != nil {
-		return ""
-	}
-	var meta profileMeta
-	if err := json.Unmarshal(data, &meta); err != nil {
-		return ""
-	}
-	return meta.Name
-}
-
-// activeProfileID returns the currently-active profile's ID. The second
-// return value is true when the active profile is the default one.
-func (s *ServiceManager) activeProfileID() (ID, bool) {
-	state, err := s.GetActiveProfileState()
-	if err != nil || state == nil {
-		return defaultProfileName, true
-	}
-	if state.ID == "" || state.ID == defaultProfileName {
-		return defaultProfileName, true
-	}
-	return state.ID, false
-}
-
-// ResolveProfile turns a user-supplied handle into a Profile. Resolution
-// precedence is: exact ID match, then unique exact name, then unique ID
-// prefix. Ambiguous matches return *ErrAmbiguousHandle so callers can
-// surface the candidates.
-func (s *ServiceManager) ResolveProfile(handle, username string) (*Profile, error) {
-	if handle == "" {
-		return nil, fmt.Errorf("profile handle is empty")
-	}
-
-	profiles, err := s.loadAllProfiles(username)
-	if err != nil {
-		return nil, err
-	}
-
-	for i := range profiles {
-		if profiles[i].ID == ID(handle) {
-			return &profiles[i], nil
-		}
-	}
-
-	var nameMatches []Profile
-	for i := range profiles {
-		if profiles[i].Name == handle {
-			nameMatches = append(nameMatches, profiles[i])
-		}
-	}
-	if len(nameMatches) == 1 {
-		return &nameMatches[0], nil
-	}
-	if len(nameMatches) > 1 {
-		return nil, &ErrAmbiguousHandle{
-			Handle:     handle,
-			Candidates: nameMatches,
-			Kind:       AmbiguityKindName,
-		}
-	}
-
-	// ID prefix match. Skip the default profile so `select d` does not
-	// accidentally pick it via prefix.
-	var prefixMatches []Profile
-	for i := range profiles {
-		if profiles[i].ID == defaultProfileName {
-			continue
-		}
-		if strings.HasPrefix(profiles[i].ID.String(), handle) {
-			prefixMatches = append(prefixMatches, profiles[i])
-		}
-	}
-	if len(prefixMatches) == 1 {
-		return &prefixMatches[0], nil
-	}
-	if len(prefixMatches) > 1 {
-		return nil, &ErrAmbiguousHandle{
-			Handle:     handle,
-			Candidates: prefixMatches,
-			Kind:       AmbiguityKindIDPrefix,
-		}
-	}
-
-	return nil, ErrProfileNotFound
-}

client/internal/profilemanager/service_test.go

@@ -1,230 +0,0 @@
-package profilemanager
-
-import (
-	"context"
-	"errors"
-	"os"
-	"os/user"
-	"path/filepath"
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/util"
-)
-
-// withTestSM wires up patched globals + a clean config dir and returns a
-// fully initialized ServiceManager plus the username we are scoped to.
-func withTestSM(t *testing.T, fn func(sm *ServiceManager, username string)) {
-	t.Helper()
-	withTempConfigDir(t, func(configDir string) {
-		withPatchedGlobals(t, configDir, func() {
-			u, err := user.Current()
-			require.NoError(t, err)
-			sm := &ServiceManager{}
-			require.NoError(t, sm.CreateDefaultProfile())
-			fn(sm, u.Username)
-		})
-	})
-}
-
-func TestServiceProfile_ExactID(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		created, err := sm.AddProfile("work", username)
-		require.NoError(t, err)
-
-		got, err := sm.ResolveProfile(created.ID.String(), username)
-		require.NoError(t, err)
-		assert.Equal(t, created.ID, got.ID)
-		assert.Equal(t, "work", got.Name)
-	})
-}
-
-func TestServiceProfile_IDPrefix(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		created, err := sm.AddProfile("work", username)
-		require.NoError(t, err)
-
-		prefix := created.ID[:4]
-		got, err := sm.ResolveProfile(prefix.String(), username)
-		require.NoError(t, err)
-		assert.Equal(t, created.ID, got.ID)
-	})
-}
-
-func TestServiceProfile_AmbiguousPrefix(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		// Plant two profiles whose IDs share a known prefix by writing
-		// the files directly, since generated IDs are random.
-		configDir, err := sm.getConfigDir(username)
-		require.NoError(t, err)
-		for _, id := range []string{"abcd1111aaaa", "abcd2222bbbb"} {
-			path := filepath.Join(configDir, id+".json")
-			require.NoError(t, util.WriteJson(context.Background(), path, &Config{Name: id}))
-		}
-
-		_, err = sm.ResolveProfile("abcd", username)
-		var amb *ErrAmbiguousHandle
-		require.ErrorAs(t, err, &amb)
-		assert.Equal(t, AmbiguityKindIDPrefix, amb.Kind)
-		assert.Len(t, amb.Candidates, 2)
-	})
-}
-
-func TestServiceProfile_ExactNameUnique(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		_, err := sm.AddProfile("work", username)
-		require.NoError(t, err)
-
-		got, err := sm.ResolveProfile("work", username)
-		require.NoError(t, err)
-		assert.Equal(t, "work", got.Name)
-	})
-}
-
-func TestServiceProfile_AmbiguousName(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		_, err := sm.AddProfile("work", username)
-		require.NoError(t, err)
-		_, err = sm.AddProfile("work", username)
-		require.NoError(t, err)
-
-		_, err = sm.ResolveProfile("work", username)
-		var amb *ErrAmbiguousHandle
-		require.ErrorAs(t, err, &amb)
-		assert.Equal(t, AmbiguityKindName, amb.Kind)
-		assert.Len(t, amb.Candidates, 2)
-	})
-}
-
-func TestServiceProfile_NotFound(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		_, err := sm.ResolveProfile("nope", username)
-		assert.ErrorIs(t, err, ErrProfileNotFound)
-	})
-}
-
-func TestServiceProfile_DefaultByExactID(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		got, err := sm.ResolveProfile(defaultProfileName, username)
-		require.NoError(t, err)
-		assert.Equal(t, defaultProfileName, got.ID.String())
-	})
-}
-
-func TestServiceProfile_LegacyFilenameCoexists(t *testing.T) {
-	// Legacy profiles stored as <name>.json with no "name" JSON field
-	// should still be discoverable by name and removable by name.
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		configDir, err := sm.getConfigDir(username)
-		require.NoError(t, err)
-		path := filepath.Join(configDir, "legacy.json")
-		require.NoError(t, util.WriteJson(context.Background(), path, &Config{}))
-
-		got, err := sm.ResolveProfile("legacy", username)
-		require.NoError(t, err)
-		assert.Equal(t, "legacy", got.ID.String())
-		// Name falls back to the filename stem when JSON omits it.
-		assert.Equal(t, "legacy", got.Name)
-	})
-}
-
-func TestAddProfile_AllowsDuplicateWithFlag(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		first, err := sm.AddProfile("work", username)
-		require.NoError(t, err)
-
-		second, err := sm.AddProfile("work", username)
-		require.NoError(t, err)
-		assert.NotEqual(t, first.ID, second.ID)
-		assert.Equal(t, "work", second.Name)
-	})
-}
-
-func TestAddProfile_RejectsInvalidNames(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		cases := []string{
-			"",                                       // empty
-			"\x00\x01",                               // only control chars (becomes empty)
-			strings.Repeat("a", maxProfileNameLen+1), // too long
-		}
-		for _, name := range cases {
-			_, err := sm.AddProfile(name, username)
-			assert.Error(t, err, "expected error for %q", name)
-		}
-	})
-}
-
-func TestRemoveProfile_RejectsInvalidID(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		err := sm.RemoveProfile("../escape", username)
-		assert.Error(t, err)
-	})
-}
-
-func TestSanitizeDisplayName(t *testing.T) {
-	cases := []struct {
-		in      string
-		want    string
-		wantErr bool
-	}{
-		{"work", "work", false},
-		{"My Work Account", "My Work Account", false},
-		{"emoji 🚀 ok", "emoji 🚀 ok", false},
-		{"漢字テスト", "漢字テスト", false},
-		{"with\x00null", "withnull", false},
-		{"\x01\x02\x03", "", true},
-		{"", "", true},
-	}
-	for _, tc := range cases {
-		got, err := sanitizeDisplayName(tc.in)
-		if tc.wantErr {
-			assert.Error(t, err, "case %q", tc.in)
-			continue
-		}
-		assert.NoError(t, err, "case %q", tc.in)
-		assert.Equal(t, tc.want, got, "case %q", tc.in)
-	}
-}
-
-func TestIsValidProfileFilenameStem(t *testing.T) {
-	cases := []struct {
-		in   string
-		want bool
-	}{
-		{"default", true},
-		{"abc123def456", true},
-		{"legacy-name", true},
-		{"legacy_name", true},
-		{"", false},
-		{"..", false},
-		{"../etc", false},
-		{"foo/bar", false},
-		{`foo\bar`, false},
-		{"with space", false},
-		{"with.dot", false},
-		{strings.Repeat("a", maxProfileIDLen+1), false},
-	}
-	for _, tc := range cases {
-		got := IsValidProfileFilenameStem(ID(tc.in))
-		assert.Equal(t, tc.want, got, "case %q", tc.in)
-	}
-}
-
-func TestRemoveProfile_DeletesStateFile(t *testing.T) {
-	withTestSM(t, func(sm *ServiceManager, username string) {
-		created, err := sm.AddProfile("work", username)
-		require.NoError(t, err)
-
-		configDir, err := sm.getConfigDir(username)
-		require.NoError(t, err)
-		statePath := filepath.Join(configDir, created.ID.String()+".state.json")
-		require.NoError(t, os.WriteFile(statePath, []byte(`{"email":"a@b"}`), 0600))
-
-		require.NoError(t, sm.RemoveProfile(created.ID, username))
-		_, err = os.Stat(statePath)
-		assert.True(t, errors.Is(err, os.ErrNotExist), "state file should be removed")
-	})
-}

client/internal/profilemanager/state.go

@@ -13,20 +13,13 @@ type ProfileState struct {
 	Email string `json:"email"`
 }
 
-// GetProfileState reads the per-profile state file keyed by profile ID.
-// The state file lives in the user's config directory. Legacy state files
-// keyed by the old profile name remain readable.
-func (pm *ProfileManager) GetProfileState(id ID) (*ProfileState, error) {
+func (pm *ProfileManager) GetProfileState(profileName string) (*ProfileState, error) {
 	configDir, err := getConfigDir()
 	if err != nil {
 		return nil, fmt.Errorf("get config directory: %w", err)
 	}
 
-	if id != defaultProfileName && !IsValidProfileFilenameStem(id) {
-		return nil, fmt.Errorf("invalid profile ID: %q", id)
-	}
-
-	stateFile := filepath.Join(configDir, id.String()+".state.json")
+	stateFile := filepath.Join(configDir, profileName+".state.json")
 	stateFileExists, err := fileExists(stateFile)
 	if err != nil {
 		return nil, fmt.Errorf("failed to check if profile state file exists: %w", err)
@@ -58,12 +51,7 @@ func (pm *ProfileManager) SetActiveProfileState(state *ProfileState) error {
 		return fmt.Errorf("get active profile: %w", err)
 	}
 
-	id := activeProf.ID
-	if id != defaultProfileName && !IsValidProfileFilenameStem(id) {
-		return fmt.Errorf("invalid active profile ID: %q", id)
-	}
-
-	stateFile := filepath.Join(configDir, id.String()+".state.json")
+	stateFile := filepath.Join(configDir, activeProf.Name+".state.json")
 	err = util.WriteJsonWithRestrictedPermission(context.Background(), stateFile, state)
 	if err != nil {
 		return fmt.Errorf("write profile state: %w", err)

client/internal/routemanager/dnsinterceptor/handler.go

@@ -251,14 +251,6 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		r.MsgHdr.AuthenticatedData = true
 	}
 
-	// Advertise EDNS0 to the forwarder so it may return an Extended DNS Error
-	// describing why a lookup failed. The OPT is stripped from the reply when
-	// the original client did not request EDNS0.
-	hadEdns := r.IsEdns0() != nil
-	if !hadEdns {
-		r.SetEdns0(dns.DefaultMsgSize, false)
-	}
-
 	upstream := net.JoinHostPort(upstreamIP.String(), strconv.FormatUint(uint64(d.forwarderPort.Load()), 10))
 	ctx, cancel := context.WithTimeout(context.Background(), dnsTimeout)
 	defer cancel()
@@ -268,13 +260,6 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		return
 	}
 
-	if ede, ok := resutil.ExtractEDE(reply); ok {
-		resutil.SetMeta(w, "ede", fmt.Sprintf("%d %s", ede.InfoCode, ede.ExtraText))
-	}
-	if !hadEdns {
-		resutil.StripOPT(reply)
-	}
-
 	resutil.SetMeta(w, "peer", peerKey)
 
 	reply.Id = r.Id

client/internal/routemanager/manager.go

@@ -333,8 +333,6 @@ func (m *DefaultManager) Stop(stateManager *statemanager.Manager) {
 		}
 	}
 
-	m.notifier.Close()
-
 	m.mux.Lock()
 	defer m.mux.Unlock()
 	m.clientRoutes = nil

client/internal/routemanager/notifier/notifier_android.go

@@ -16,7 +16,7 @@ import (
 type Notifier struct {
 	initialRoutes []*route.Route
 	currentRoutes []*route.Route
-	fakeIPRoutes  []*route.Route
+	fakeIPRoutes []*route.Route
 
 	listener    listener.NetworkChangeListener
 	listenerMux sync.Mutex
@@ -119,7 +119,3 @@ func (n *Notifier) GetInitialRouteRanges() []string {
 	sort.Strings(initialStrings)
 	return initialStrings
 }
-
-func (n *Notifier) Close() {
-	// unused
-}

client/internal/routemanager/notifier/notifier_ios.go

@@ -3,7 +3,6 @@
 package notifier
 
 import (
-	"container/list"
 	"net/netip"
 	"slices"
 	"sort"
@@ -15,26 +14,19 @@ import (
 )
 
 type Notifier struct {
-	mu              sync.Mutex
-	cond            *sync.Cond
 	currentPrefixes []string
-	listener        listener.NetworkChangeListener
-	queue           *list.List
-	closed          bool
+
+	listener    listener.NetworkChangeListener
+	listenerMux sync.Mutex
 }
 
 func NewNotifier() *Notifier {
-	n := &Notifier{
-		queue: list.New(),
-	}
-	n.cond = sync.NewCond(&n.mu)
-	go n.deliverLoop()
-	return n
+	return &Notifier{}
 }
 
 func (n *Notifier) SetListener(listener listener.NetworkChangeListener) {
-	n.mu.Lock()
-	defer n.mu.Unlock()
+	n.listenerMux.Lock()
+	defer n.listenerMux.Unlock()
 	n.listener = listener
 }
 
@@ -51,52 +43,32 @@ func (n *Notifier) OnNewRoutes(route.HAMap) {
 }
 
 func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
-	newNets := make([]string, 0, len(prefixes))
+	newNets := make([]string, 0)
 	for _, prefix := range prefixes {
 		newNets = append(newNets, prefix.String())
 	}
 
 	sort.Strings(newNets)
 
-	n.mu.Lock()
 	if slices.Equal(n.currentPrefixes, newNets) {
-		n.mu.Unlock()
 		return
 	}
-	n.currentPrefixes = newNets
-	routes := strings.Join(n.currentPrefixes, ",")
-	n.queue.PushBack(routes)
-	n.cond.Signal()
-	n.mu.Unlock()
-}
 
-func (n *Notifier) Close() {
-	n.mu.Lock()
-	n.closed = true
-	n.cond.Signal()
-	n.mu.Unlock()
+	n.currentPrefixes = newNets
+	n.notify()
+}
+func (n *Notifier) notify() {
+	n.listenerMux.Lock()
+	defer n.listenerMux.Unlock()
+	if n.listener == nil {
+		return
+	}
+
+	go func(l listener.NetworkChangeListener) {
+		l.OnNetworkChanged(strings.Join(n.currentPrefixes, ","))
+	}(n.listener)
 }
 
 func (n *Notifier) GetInitialRouteRanges() []string {
 	return nil
 }
-
-func (n *Notifier) deliverLoop() {
-	for {
-		n.mu.Lock()
-		for n.queue.Len() == 0 && !n.closed {
-			n.cond.Wait()
-		}
-		if n.closed && n.queue.Len() == 0 {
-			n.mu.Unlock()
-			return
-		}
-		routes := n.queue.Remove(n.queue.Front()).(string)
-		l := n.listener
-		n.mu.Unlock()
-
-		if l != nil {
-			l.OnNetworkChanged(routes)
-		}
-	}
-}

client/internal/routemanager/notifier/notifier_other.go

@@ -38,7 +38,3 @@ func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
 func (n *Notifier) GetInitialRouteRanges() []string {
 	return []string{}
 }
-
-func (n *Notifier) Close() {
-	// unused
-}

client/ios/NetBirdSDK/login.go

@@ -36,7 +36,6 @@ type URLOpener interface {
 // Auth can register or login new client
 type Auth struct {
 	ctx     context.Context
-	cancel  context.CancelFunc
 	config  *profilemanager.Config
 	cfgPath string
 }
@@ -52,19 +51,8 @@ func NewAuth(cfgPath string, mgmURL string) (*Auth, error) {
 		return nil, err
 	}
 
-	// Use a cancellable context so Stop() can abort an in-progress interactive
-	// login. The PKCE flow's WaitToken blocks (and keeps its loopback HTTP server
-	// bound to a port) until the OAuth callback arrives or the flow expires;
-	// cancelling the context unblocks WaitToken, which then shuts that server down
-	// and frees the port for the next login attempt. iOS runs login in the main-app
-	// process (decoupled from the network extension), so without this the server
-	// lingers after the user dismisses the browser and the next connect stalls
-	// trying to bind the same port.
-	ctx, cancel := context.WithCancel(context.Background())
-
 	return &Auth{
-		ctx:     ctx,
-		cancel:  cancel,
+		ctx:     context.Background(),
 		config:  cfg,
 		cfgPath: cfgPath,
 	}, nil
@@ -72,24 +60,12 @@ func NewAuth(cfgPath string, mgmURL string) (*Auth, error) {
 
 // NewAuthWithConfig instantiate Auth based on existing config
 func NewAuthWithConfig(ctx context.Context, config *profilemanager.Config) *Auth {
-	ctx, cancel := context.WithCancel(ctx)
 	return &Auth{
 		ctx:    ctx,
-		cancel: cancel,
 		config: config,
 	}
 }
 
-// Stop aborts an in-progress interactive login started via Login/LoginWithDeviceName.
-// It cancels the auth context, which unblocks the PKCE WaitToken and shuts down its
-// loopback HTTP server, freeing the redirect port. Safe to call multiple times and
-// safe to call when no login is running.
-func (a *Auth) Stop() {
-	if a.cancel != nil {
-		a.cancel()
-	}
-}
-
 // SaveConfigIfSSOSupported test the connectivity with the management server by retrieving the server device flow info.
 // If it returns a flow info than save the configuration and return true. If it gets a codes.NotFound, it means that SSO
 // is not supported and returns false without saving the configuration. For other errors return false.

client/proto/daemon.proto

@@ -85,8 +85,6 @@ service DaemonService {
 
   rpc AddProfile(AddProfileRequest) returns (AddProfileResponse) {}
 
-  rpc RenameProfile(RenameProfileRequest) returns (RenameProfileResponse) {}
-
   rpc RemoveProfile(RemoveProfileRequest) returns (RemoveProfileResponse) {}
 
   rpc ListProfiles(ListProfilesRequest) returns (ListProfilesResponse) {}
@@ -627,18 +625,11 @@ message GetEventsResponse {
 }
 
 message SwitchProfileRequest {
-  // profileName is treated as a handle: exact ID, unique ID prefix, or
-  // unique display name. The daemon resolves it server-side.
   optional string profileName = 1;
   optional string username = 2;
 }
 
-message SwitchProfileResponse {
-  // id is the resolved on-disk ID of the profile that became active.
-  // Lets CLI clients update their local active-profile state without
-  // duplicating the resolution logic.
-  string id = 1;
-}
+message SwitchProfileResponse {}
 
 message SetConfigRequest {
   string username = 1;
@@ -705,42 +696,17 @@ message SetConfigResponse{}
 
 message AddProfileRequest {
   string username = 1;
-  // profileName carries the human-readable display name for the new
-  // profile. The on-disk filename is a separately-generated ID.
   string profileName = 2;
 }
 
-message AddProfileResponse {
-  // id is the generated on-disk ID of the new profile. CLI clients
-  // display a truncated form, UI clients can ignore it.
-  string id = 1;
-}
-
-message RenameProfileRequest {
-  string username = 1;
-  // handle: an exact ID, a unique ID prefix, or a unique display name.
-  string handle = 2;
-  // newProfileName is the new human-readable display name for the profile.
-  string newProfileName = 3;
-}
-
-message RenameProfileResponse {
-  // confirm the old profile name after resolving handle.
-  string oldProfileName = 1;
-}
+message AddProfileResponse {}
 
 message RemoveProfileRequest {
   string username = 1;
-  // profileName is treated as a handle: an exact ID, a unique ID
-  // prefix, or a unique display name. Resolution happens server-side.
   string profileName = 2;
 }
 
-message RemoveProfileResponse {
-  // id is the full resolved ID of the removed profile, so callers can
-  // confirm exactly which profile a name/prefix handle resolved to.
-  string id = 1;
-}
+message RemoveProfileResponse {}
 
 message ListProfilesRequest {
   string username = 1;
@@ -753,7 +719,6 @@ message ListProfilesResponse {
 message Profile {
   string name = 1;
   bool is_active = 2;
-  string id = 3;
 }
 
 message GetActiveProfileRequest {}
@@ -761,7 +726,6 @@ message GetActiveProfileRequest {}
 message GetActiveProfileResponse {
   string profileName = 1;
   string username = 2;
-  string id = 3;
 }
 
 message LogoutRequest {

client/proto/daemon_grpc.pb.go

@@ -45,7 +45,6 @@ const (
 	DaemonService_SwitchProfile_FullMethodName              = "/daemon.DaemonService/SwitchProfile"
 	DaemonService_SetConfig_FullMethodName                  = "/daemon.DaemonService/SetConfig"
 	DaemonService_AddProfile_FullMethodName                 = "/daemon.DaemonService/AddProfile"
-	DaemonService_RenameProfile_FullMethodName              = "/daemon.DaemonService/RenameProfile"
 	DaemonService_RemoveProfile_FullMethodName              = "/daemon.DaemonService/RemoveProfile"
 	DaemonService_ListProfiles_FullMethodName               = "/daemon.DaemonService/ListProfiles"
 	DaemonService_GetActiveProfile_FullMethodName           = "/daemon.DaemonService/GetActiveProfile"
@@ -113,7 +112,6 @@ type DaemonServiceClient interface {
 	SwitchProfile(ctx context.Context, in *SwitchProfileRequest, opts ...grpc.CallOption) (*SwitchProfileResponse, error)
 	SetConfig(ctx context.Context, in *SetConfigRequest, opts ...grpc.CallOption) (*SetConfigResponse, error)
 	AddProfile(ctx context.Context, in *AddProfileRequest, opts ...grpc.CallOption) (*AddProfileResponse, error)
-	RenameProfile(ctx context.Context, in *RenameProfileRequest, opts ...grpc.CallOption) (*RenameProfileResponse, error)
 	RemoveProfile(ctx context.Context, in *RemoveProfileRequest, opts ...grpc.CallOption) (*RemoveProfileResponse, error)
 	ListProfiles(ctx context.Context, in *ListProfilesRequest, opts ...grpc.CallOption) (*ListProfilesResponse, error)
 	GetActiveProfile(ctx context.Context, in *GetActiveProfileRequest, opts ...grpc.CallOption) (*GetActiveProfileResponse, error)
@@ -424,16 +422,6 @@ func (c *daemonServiceClient) AddProfile(ctx context.Context, in *AddProfileRequ
 	return out, nil
 }
 
-func (c *daemonServiceClient) RenameProfile(ctx context.Context, in *RenameProfileRequest, opts ...grpc.CallOption) (*RenameProfileResponse, error) {
-	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
-	out := new(RenameProfileResponse)
-	err := c.cc.Invoke(ctx, DaemonService_RenameProfile_FullMethodName, in, out, cOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *daemonServiceClient) RemoveProfile(ctx context.Context, in *RemoveProfileRequest, opts ...grpc.CallOption) (*RemoveProfileResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(RemoveProfileResponse)
@@ -625,7 +613,6 @@ type DaemonServiceServer interface {
 	SwitchProfile(context.Context, *SwitchProfileRequest) (*SwitchProfileResponse, error)
 	SetConfig(context.Context, *SetConfigRequest) (*SetConfigResponse, error)
 	AddProfile(context.Context, *AddProfileRequest) (*AddProfileResponse, error)
-	RenameProfile(context.Context, *RenameProfileRequest) (*RenameProfileResponse, error)
 	RemoveProfile(context.Context, *RemoveProfileRequest) (*RemoveProfileResponse, error)
 	ListProfiles(context.Context, *ListProfilesRequest) (*ListProfilesResponse, error)
 	GetActiveProfile(context.Context, *GetActiveProfileRequest) (*GetActiveProfileResponse, error)
@@ -736,9 +723,6 @@ func (UnimplementedDaemonServiceServer) SetConfig(context.Context, *SetConfigReq
 func (UnimplementedDaemonServiceServer) AddProfile(context.Context, *AddProfileRequest) (*AddProfileResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method AddProfile not implemented")
 }
-func (UnimplementedDaemonServiceServer) RenameProfile(context.Context, *RenameProfileRequest) (*RenameProfileResponse, error) {
-	return nil, status.Error(codes.Unimplemented, "method RenameProfile not implemented")
-}
 func (UnimplementedDaemonServiceServer) RemoveProfile(context.Context, *RemoveProfileRequest) (*RemoveProfileResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method RemoveProfile not implemented")
 }
@@ -1253,24 +1237,6 @@ func _DaemonService_AddProfile_Handler(srv interface{}, ctx context.Context, dec
 	return interceptor(ctx, in, info, handler)
 }
 
-func _DaemonService_RenameProfile_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(RenameProfileRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(DaemonServiceServer).RenameProfile(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: DaemonService_RenameProfile_FullMethodName,
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DaemonServiceServer).RenameProfile(ctx, req.(*RenameProfileRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 func _DaemonService_RemoveProfile_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(RemoveProfileRequest)
 	if err := dec(in); err != nil {
@@ -1601,10 +1567,6 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "AddProfile",
 			Handler:    _DaemonService_AddProfile_Handler,
 		},
-		{
-			MethodName: "RenameProfile",
-			Handler:    _DaemonService_RenameProfile_Handler,
-		},
 		{
 			MethodName: "RemoveProfile",
 			Handler:    _DaemonService_RemoveProfile_Handler,

client/server/login_overrides_test.go

@@ -79,7 +79,7 @@ func TestPersistLoginOverrides(t *testing.T) {
 			_, err := profilemanager.UpdateOrCreateConfig(seed)
 			require.NoError(t, err, "seed config")
 
-			activeProf := &profilemanager.ActiveProfileState{ID: "default"}
+			activeProf := &profilemanager.ActiveProfileState{Name: "default"}
 			err = persistLoginOverrides(activeProf, tt.newMgmtURL, tt.newPSK)
 			require.NoError(t, err, "persistLoginOverrides")
 

client/server/server.go

@@ -78,7 +78,7 @@ type Server struct {
 	// changed by connectWithRetryRuns goroutine exit — for that
 	// (goroutine-still-alive) check, see connectionGoroutineRunning() which
 	// derives from clientGiveUpChan close state. Protected by s.mutex.
-	clientRunning     bool
+	clientRunning          bool
 	clientRunningChan chan struct{}
 	clientGiveUpChan  chan struct{} // closed when connectWithRetryRuns goroutine exits
 
@@ -375,7 +375,7 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 		return nil, err
 	}
 
-	config, err := s.setConfigInputFromRequest(msg)
+	config, err := setConfigInputFromRequest(msg)
 	if err != nil {
 		return nil, err
 	}
@@ -398,17 +398,17 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 // field is its own optional case. Returns the resolved ConfigInput
 // and a non-nil error only when the active profile file path cannot
 // be determined.
-func (s *Server) setConfigInputFromRequest(msg *proto.SetConfigRequest) (profilemanager.ConfigInput, error) {
+func setConfigInputFromRequest(msg *proto.SetConfigRequest) (profilemanager.ConfigInput, error) {
 	var config profilemanager.ConfigInput
 
-	resolved, err := s.resolveProfileHandle(msg.ProfileName, msg.Username)
-	if err != nil {
-		log.Errorf("failed to resolve profile %q: %v", msg.ProfileName, err)
-		return config, err
+	profState := profilemanager.ActiveProfileState{
+		Name:     msg.ProfileName,
+		Username: msg.Username,
 	}
-	profPath := resolved.Path
-	if profPath == "" {
-		profPath = profilemanager.DefaultConfigPath
+	profPath, err := profState.FilePath()
+	if err != nil {
+		log.Errorf("failed to get active profile file path: %v", err)
+		return config, fmt.Errorf("failed to get active profile file path: %w", err)
 	}
 	config.ConfigPath = profPath
 
@@ -535,9 +535,30 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 	}
 
 	if msg.ProfileName != nil {
-		if _, err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
-			log.Errorf("failed to switch profile: %v", err)
-			return nil, err
+		if *msg.ProfileName != "default" && (msg.Username == nil || *msg.Username == "") {
+			log.Errorf("profile name is set to %s, but username is not provided", *msg.ProfileName)
+			return nil, fmt.Errorf("profile name is set to %s, but username is not provided", *msg.ProfileName)
+		}
+
+		var username string
+		if *msg.ProfileName != "default" {
+			username = *msg.Username
+		}
+
+		if *msg.ProfileName != activeProf.Name && username != activeProf.Username {
+			if s.checkProfilesDisabled() {
+				log.Errorf("profiles are disabled, you cannot use this feature without profiles enabled")
+				return nil, gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
+			}
+
+			log.Infof("switching to profile %s for user '%s'", *msg.ProfileName, username)
+			if err := s.profileManager.SetActiveProfileState(&profilemanager.ActiveProfileState{
+				Name:     *msg.ProfileName,
+				Username: username,
+			}); err != nil {
+				log.Errorf("failed to set active profile state: %v", err)
+				return nil, fmt.Errorf("failed to set active profile state: %w", err)
+			}
 		}
 	}
 
@@ -547,7 +568,7 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 		return nil, fmt.Errorf("failed to get active profile state: %w", err)
 	}
 
-	log.Infof("active profile: %s for %s", activeProf.ID, activeProf.Username)
+	log.Infof("active profile: %s for %s", activeProf.Name, activeProf.Username)
 
 	s.mutex.Lock()
 
@@ -785,10 +806,10 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 	}
 
 	if msg != nil && msg.ProfileName != nil {
-		if _, err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
+		if err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
 			s.mutex.Unlock()
 			log.Errorf("failed to switch profile: %v", err)
-			return nil, err
+			return nil, fmt.Errorf("failed to switch profile: %w", err)
 		}
 	}
 
@@ -799,7 +820,7 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 		return nil, fmt.Errorf("failed to get active profile state: %w", err)
 	}
 
-	log.Infof("active profile: %s for %s", activeProf.ID, activeProf.Username)
+	log.Infof("active profile: %s for %s", activeProf.Name, activeProf.Username)
 
 	config, _, err := s.getConfig(activeProf)
 	if err != nil {
@@ -843,60 +864,34 @@ func (s *Server) waitForUp(callerCtx context.Context) (*proto.UpResponse, error)
 	}
 }
 
-// resolveProfileHandle resolves a wire-level profile handle (display
-// name, ID, or unique ID prefix) to a concrete profile. Returns gRPC
-// status errors so handlers can return them directly.
-func (s *Server) resolveProfileHandle(handle, username string) (*profilemanager.Profile, error) {
-	p, err := s.profileManager.ResolveProfile(handle, username)
-	if err == nil {
-		return p, nil
-	}
-	var amb *profilemanager.ErrAmbiguousHandle
-	if errors.As(err, &amb) {
-		return nil, gstatus.Errorf(codes.InvalidArgument, "%v", amb)
-	}
-	if errors.Is(err, profilemanager.ErrProfileNotFound) {
-		return nil, gstatus.Errorf(codes.NotFound, "profile %q not found", handle)
-	}
-	return nil, fmt.Errorf("resolve profile: %w", err)
-}
-
-// switchProfileIfNeeded resolves the user-supplied handle, updates the
-// active profile state if it differs from the current one, and returns
-// the resolved profile so callers can include its ID in RPC responses.
-func (s *Server) switchProfileIfNeeded(handle string, userName *string, activeProf *profilemanager.ActiveProfileState) (*profilemanager.Profile, error) {
-	if handle != profilemanager.DefaultProfileName && (userName == nil || *userName == "") {
-		log.Errorf("profile name is set to %s, but username is not provided", handle)
-		return nil, fmt.Errorf("profile name is set to %s, but username is not provided", handle)
+func (s *Server) switchProfileIfNeeded(profileName string, userName *string, activeProf *profilemanager.ActiveProfileState) error {
+	if profileName != "default" && (userName == nil || *userName == "") {
+		log.Errorf("profile name is set to %s, but username is not provided", profileName)
+		return fmt.Errorf("profile name is set to %s, but username is not provided", profileName)
 	}
 
 	var username string
-	if handle != profilemanager.DefaultProfileName {
+	if profileName != "default" {
 		username = *userName
 	}
 
-	resolved, err := s.resolveProfileHandle(handle, username)
-	if err != nil {
-		return nil, err
-	}
-
-	if resolved.ID != activeProf.ID || username != activeProf.Username {
+	if profileName != activeProf.Name || username != activeProf.Username {
 		if s.checkProfilesDisabled() {
 			log.Errorf("profiles are disabled, you cannot use this feature without profiles enabled")
-			return nil, gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
+			return gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
 		}
 
-		log.Infof("switching to profile %s (%s) for user %s", resolved.Name, resolved.ID, username)
+		log.Infof("switching to profile %s for user %s", profileName, username)
 		if err := s.profileManager.SetActiveProfileState(&profilemanager.ActiveProfileState{
-			ID:       resolved.ID,
+			Name:     profileName,
 			Username: username,
 		}); err != nil {
 			log.Errorf("failed to set active profile state: %v", err)
-			return nil, fmt.Errorf("failed to set active profile state: %w", err)
+			return fmt.Errorf("failed to set active profile state: %w", err)
 		}
 	}
 
-	return resolved, nil
+	return nil
 }
 
 // SwitchProfile switches the active profile in the daemon.
@@ -911,9 +906,9 @@ func (s *Server) SwitchProfile(callerCtx context.Context, msg *proto.SwitchProfi
 	}
 
 	if msg != nil && msg.ProfileName != nil {
-		if _, err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
+		if err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
 			log.Errorf("failed to switch profile: %v", err)
-			return nil, err
+			return nil, fmt.Errorf("failed to switch profile: %w", err)
 		}
 	}
 	activeProf, err = s.profileManager.GetActiveProfileState()
@@ -929,7 +924,7 @@ func (s *Server) SwitchProfile(callerCtx context.Context, msg *proto.SwitchProfi
 
 	s.config = config
 
-	return &proto.SwitchProfileResponse{Id: activeProf.ID.String()}, nil
+	return &proto.SwitchProfileResponse{}, nil
 }
 
 // Down engine work in the daemon.
@@ -993,10 +988,6 @@ func (s *Server) cleanupConnection() error {
 		return nil
 	}
 
-	// TODO: consider calling s.connectClient.Stop() instead of engine.Stop().
-	// actCancel() lets the run loop stop the engine too, so both stop it
-	// concurrently; ConnectClient.Stop cancels and waits for the run loop,
-	// making the run loop the sole owner of engine shutdown.
 	if engine != nil {
 		if err := engine.Stop(); err != nil {
 			return err
@@ -1023,27 +1014,22 @@ func (s *Server) Logout(ctx context.Context, msg *proto.LogoutRequest) (*proto.L
 }
 
 func (s *Server) handleProfileLogout(ctx context.Context, msg *proto.LogoutRequest) (*proto.LogoutResponse, error) {
+	if err := s.validateProfileOperation(*msg.ProfileName, true); err != nil {
+		return nil, err
+	}
+
 	if msg.Username == nil || *msg.Username == "" {
 		return nil, gstatus.Errorf(codes.InvalidArgument, "username must be provided when profile name is specified")
 	}
 	username := *msg.Username
 
-	resolved, err := s.resolveProfileHandle(*msg.ProfileName, username)
-	if err != nil {
-		return nil, err
-	}
-
-	if err := s.validateProfileOperation(resolved.ID, true); err != nil {
-		return nil, err
-	}
-
-	if err := s.logoutFromProfile(ctx, resolved); err != nil {
-		log.Errorf("failed to logout from profile %s: %v", resolved.ID, err)
+	if err := s.logoutFromProfile(ctx, *msg.ProfileName, username); err != nil {
+		log.Errorf("failed to logout from profile %s: %v", *msg.ProfileName, err)
 		return nil, gstatus.Errorf(codes.Internal, "logout: %v", err)
 	}
 
 	activeProf, _ := s.profileManager.GetActiveProfileState()
-	if activeProf != nil && activeProf.ID == resolved.ID {
+	if activeProf != nil && activeProf.Name == *msg.ProfileName {
 		if err := s.cleanupConnection(); err != nil && !errors.Is(err, ErrServiceNotUp) {
 			log.Errorf("failed to cleanup connection: %v", err)
 		}
@@ -1105,30 +1091,30 @@ func (s *Server) getConfig(activeProf *profilemanager.ActiveProfileState) (*prof
 	return config, configExisted, nil
 }
 
-func (s *Server) canRemoveProfile(id profilemanager.ID) error {
-	if id == profilemanager.DefaultProfileName {
+func (s *Server) canRemoveProfile(profileName string) error {
+	if profileName == profilemanager.DefaultProfileName {
 		return fmt.Errorf("remove profile with reserved name: %s", profilemanager.DefaultProfileName)
 	}
 
 	activeProf, err := s.profileManager.GetActiveProfileState()
-	if err == nil && activeProf.ID == id {
-		return fmt.Errorf("remove active profile: %s", id)
+	if err == nil && activeProf.Name == profileName {
+		return fmt.Errorf("remove active profile: %s", profileName)
 	}
 
 	return nil
 }
 
-func (s *Server) validateProfileOperation(id profilemanager.ID, allowActiveProfile bool) error {
+func (s *Server) validateProfileOperation(profileName string, allowActiveProfile bool) error {
 	if s.checkProfilesDisabled() {
 		return gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
 	}
 
-	if id == "" {
+	if profileName == "" {
 		return gstatus.Errorf(codes.InvalidArgument, "profile name must be provided")
 	}
 
 	if !allowActiveProfile {
-		if err := s.canRemoveProfile(id); err != nil {
+		if err := s.canRemoveProfile(profileName); err != nil {
 			return gstatus.Errorf(codes.InvalidArgument, "%v", err)
 		}
 	}
@@ -1136,20 +1122,25 @@ func (s *Server) validateProfileOperation(id profilemanager.ID, allowActiveProfi
 	return nil
 }
 
-func (s *Server) logoutFromProfile(ctx context.Context, profile *profilemanager.Profile) error {
+// logoutFromProfile logs out from a specific profile by loading its config and sending logout request
+func (s *Server) logoutFromProfile(ctx context.Context, profileName, username string) error {
 	activeProf, err := s.profileManager.GetActiveProfileState()
-	if err == nil && activeProf.ID == profile.ID && s.connectClient != nil {
+	if err == nil && activeProf.Name == profileName && s.connectClient != nil {
 		return s.sendLogoutRequest(ctx)
 	}
 
-	cfgPath := profile.Path
-	if cfgPath == "" {
-		cfgPath = profilemanager.DefaultConfigPath
+	profileState := &profilemanager.ActiveProfileState{
+		Name:     profileName,
+		Username: username,
+	}
+	profilePath, err := profileState.FilePath()
+	if err != nil {
+		return fmt.Errorf("get profile path: %w", err)
 	}
 
-	config, err := profilemanager.GetConfig(cfgPath)
+	config, err := profilemanager.GetConfig(profilePath)
 	if err != nil {
-		return fmt.Errorf("profile '%s' not found", profile.ID)
+		return fmt.Errorf("profile '%s' not found", profileName)
 	}
 
 	return s.sendLogoutRequestWithConfig(ctx, config)
@@ -1567,14 +1558,15 @@ func (s *Server) GetConfig(ctx context.Context, req *proto.GetConfigRequest) (*p
 		return nil, ctx.Err()
 	}
 
-	resolved, err := s.resolveProfileHandle(req.ProfileName, req.Username)
-	if err != nil {
-		log.Errorf("failed to resolve profile %q: %v", req.ProfileName, err)
-		return nil, err
+	prof := profilemanager.ActiveProfileState{
+		Name:     req.ProfileName,
+		Username: req.Username,
 	}
-	cfgPath := resolved.Path
-	if cfgPath == "" {
-		cfgPath = profilemanager.DefaultConfigPath
+
+	cfgPath, err := prof.FilePath()
+	if err != nil {
+		log.Errorf("failed to get active profile file path: %v", err)
+		return nil, fmt.Errorf("failed to get active profile file path: %w", err)
 	}
 
 	cfg, err := profilemanager.GetConfig(cfgPath)
@@ -1679,39 +1671,12 @@ func (s *Server) AddProfile(ctx context.Context, msg *proto.AddProfileRequest) (
 		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name and username must be provided")
 	}
 
-	created, err := s.profileManager.AddProfile(msg.ProfileName, msg.Username)
-	if err != nil {
+	if err := s.profileManager.AddProfile(msg.ProfileName, msg.Username); err != nil {
 		log.Errorf("failed to create profile: %v", err)
 		return nil, fmt.Errorf("failed to create profile: %w", err)
 	}
 
-	return &proto.AddProfileResponse{Id: created.ID.String()}, nil
-}
-
-func (s *Server) RenameProfile(ctx context.Context, msg *proto.RenameProfileRequest) (*proto.RenameProfileResponse, error) {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	if s.checkProfilesDisabled() {
-		return nil, gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
-	}
-
-	if msg.Handle == "" || msg.Username == "" || msg.NewProfileName == "" {
-		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name, username and new profile name must be provided")
-	}
-
-	resolved, err := s.resolveProfileHandle(msg.Handle, msg.Username)
-	if err != nil {
-		return nil, err
-	}
-
-	err = s.profileManager.RenameProfile(resolved.ID, msg.Username, msg.NewProfileName)
-	if err != nil {
-		log.Errorf("failed to rename profile: %v", err)
-		return nil, fmt.Errorf("failed to rename profile: %w", err)
-	}
-
-	return &proto.RenameProfileResponse{OldProfileName: resolved.Name}, nil
+	return &proto.AddProfileResponse{}, nil
 }
 
 // RemoveProfile removes a profile from the daemon.
@@ -1719,29 +1684,20 @@ func (s *Server) RemoveProfile(ctx context.Context, msg *proto.RemoveProfileRequ
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	if s.checkProfilesDisabled() {
-		return nil, gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
-	}
-
-	if msg.ProfileName == "" {
-		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name must be provided")
-	}
-
-	resolved, err := s.resolveProfileHandle(msg.ProfileName, msg.Username)
-	if err != nil {
+	if err := s.validateProfileOperation(msg.ProfileName, false); err != nil {
 		return nil, err
 	}
 
-	if err := s.logoutFromProfile(ctx, resolved); err != nil {
-		log.Warnf("failed to logout from profile %s before removal: %v", resolved.ID, err)
+	if err := s.logoutFromProfile(ctx, msg.ProfileName, msg.Username); err != nil {
+		log.Warnf("failed to logout from profile %s before removal: %v", msg.ProfileName, err)
 	}
 
-	if err := s.profileManager.RemoveProfile(resolved.ID, msg.Username); err != nil {
+	if err := s.profileManager.RemoveProfile(msg.ProfileName, msg.Username); err != nil {
 		log.Errorf("failed to remove profile: %v", err)
 		return nil, fmt.Errorf("failed to remove profile: %w", err)
 	}
 
-	return &proto.RemoveProfileResponse{Id: resolved.ID.String()}, nil
+	return &proto.RemoveProfileResponse{}, nil
 }
 
 // ListProfiles lists all profiles in the daemon.
@@ -1764,7 +1720,6 @@ func (s *Server) ListProfiles(ctx context.Context, msg *proto.ListProfilesReques
 	}
 	for i, profile := range profiles {
 		response.Profiles[i] = &proto.Profile{
-			Id:       profile.ID.String(),
 			Name:     profile.Name,
 			IsActive: profile.IsActive,
 		}
@@ -1773,9 +1728,7 @@ func (s *Server) ListProfiles(ctx context.Context, msg *proto.ListProfilesReques
 	return response, nil
 }
 
-// GetActiveProfile returns the active profile in the daemon. The ProfileName
-// field carries the display name for backwards compatibility with UI clients,
-// new callers should prefer Id.
+// GetActiveProfile returns the active profile in the daemon.
 func (s *Server) GetActiveProfile(ctx context.Context, msg *proto.GetActiveProfileRequest) (*proto.GetActiveProfileResponse, error) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
@@ -1786,23 +1739,9 @@ func (s *Server) GetActiveProfile(ctx context.Context, msg *proto.GetActiveProfi
 		return nil, fmt.Errorf("failed to get active profile state: %w", err)
 	}
 
-	// Fallback to legacy name == ID
-	displayName := activeProfile.ID.String()
-	if activeProfile.ID != profilemanager.DefaultProfileName {
-		if profiles, lerr := s.profileManager.ListProfiles(activeProfile.Username); lerr == nil {
-			for _, p := range profiles {
-				if p.ID == activeProfile.ID {
-					displayName = p.Name
-					break
-				}
-			}
-		}
-	}
-
 	return &proto.GetActiveProfileResponse{
-		ProfileName: displayName,
+		ProfileName: activeProfile.Name,
 		Username:    activeProfile.Username,
-		Id:          activeProfile.ID.String(),
 	}, nil
 }
 

client/server/server_test.go

@@ -97,7 +97,7 @@ func TestConnectWithRetryRuns(t *testing.T) {
 
 	pm := profilemanager.ServiceManager{}
 	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		ID:       "test-profile",
+		Name:     "test-profile",
 		Username: currUser.Username,
 	})
 	if err != nil {
@@ -158,7 +158,7 @@ func TestServer_Up(t *testing.T) {
 
 	pm := profilemanager.ServiceManager{}
 	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		ID:       profilemanager.ID(profName),
+		Name:     profName,
 		Username: currUser.Username,
 	})
 	if err != nil {
@@ -228,7 +228,7 @@ func TestServer_SubcribeEvents(t *testing.T) {
 
 	pm := profilemanager.ServiceManager{}
 	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		ID:       "default",
+		Name:     "default",
 		Username: currUser.Username,
 	})
 	if err != nil {

client/server/setconfig_mdm_test.go

@@ -62,7 +62,7 @@ func setupServerWithProfile(t *testing.T) (s *Server, ctx context.Context, profN
 
 	pm := profilemanager.ServiceManager{}
 	require.NoError(t, pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		ID:       profilemanager.ID(profName),
+		Name:     profName,
 		Username: currUser.Username,
 	}))
 
@@ -107,9 +107,9 @@ func TestSetConfig_MDMReject_SingleField(t *testing.T) {
 
 func TestSetConfig_MDMReject_MultipleFields(t *testing.T) {
 	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
-		mdm.KeyManagementURL:    "https://mdm.example.com:443",
-		mdm.KeyBlockInbound:     true,
-		mdm.KeyRosenpassEnabled: true,
+		mdm.KeyManagementURL:     "https://mdm.example.com:443",
+		mdm.KeyBlockInbound:      true,
+		mdm.KeyRosenpassEnabled:  true,
 	}))
 
 	s, ctx, profName, username, _ := setupServerWithProfile(t)

client/server/setconfig_test.go

@@ -47,7 +47,7 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 
 	pm := profilemanager.ServiceManager{}
 	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		ID:       profilemanager.ID(profName),
+		Name:     profName,
 		Username: currUser.Username,
 	})
 	require.NoError(t, err)
@@ -96,7 +96,7 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 		DisableNotifications:  &disableNotifications,
 		LazyConnectionEnabled: &lazyConnectionEnabled,
 		BlockInbound:          &blockInbound,
-		DisableIpv6:           &disableIPv6,
+		DisableIpv6:          &disableIPv6,
 		NatExternalIPs:        []string{"1.2.3.4", "5.6.7.8"},
 		CleanNATExternalIPs:   false,
 		CustomDNSAddress:      []byte("1.1.1.1:53"),
@@ -112,7 +112,7 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 	require.NoError(t, err)
 
 	profState := profilemanager.ActiveProfileState{
-		ID:       profilemanager.ID(profName),
+		Name:     profName,
 		Username: currUser.Username,
 	}
 	cfgPath, err := profState.FilePath()

client/system/info.go

@@ -2,10 +2,8 @@ package system
 
 import (
 	"context"
-	"errors"
 	"net/netip"
 	"strings"
-	"time"
 
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/metadata"
@@ -156,7 +154,7 @@ func GetInfoWithChecks(ctx context.Context, checks []*proto.Checks) (*Info, erro
 		processCheckPaths = append(processCheckPaths, check.GetFiles()...)
 	}
 
-	files, err := checkFileAndProcess(ctx, processCheckPaths)
+	files, err := checkFileAndProcess(processCheckPaths)
 	if err != nil {
 		return nil, err
 	}
@@ -168,39 +166,3 @@ func GetInfoWithChecks(ctx context.Context, checks []*proto.Checks) (*Info, erro
 	log.Debugf("all system information gathered successfully")
 	return info, nil
 }
-
-// GetInfoWithChecksTimeout is GetInfoWithChecks bounded by timeout. Posture-check gathering
-// runs uncancellable system calls (process enumeration, os.Stat), so calling it inline can
-// block the caller for as long as such a call hangs. It runs in a goroutine instead: if it
-// does not return within timeout the caller gets (nil, false) and should proceed with
-// degraded behavior rather than block. On a gathering error it falls back to base GetInfo.
-//
-// The buffered channel lets the abandoned goroutine finish and exit once its blocking call
-// returns, so it does not leak beyond the duration of that call.
-func GetInfoWithChecksTimeout(ctx context.Context, timeout time.Duration, checks []*proto.Checks) (*Info, bool) {
-	ctx, cancel := context.WithTimeout(ctx, timeout)
-	defer cancel()
-
-	infoCh := make(chan *Info, 1)
-	go func() {
-		info, err := GetInfoWithChecks(ctx, checks)
-		if err != nil {
-			log.Warnf("failed to get system info with checks: %v", err)
-			info = GetInfo(ctx)
-		}
-		infoCh <- info
-	}()
-
-	select {
-	case info := <-infoCh:
-		return info, true
-	case <-ctx.Done():
-		if errors.Is(ctx.Err(), context.DeadlineExceeded) {
-			log.Warnf("gathering system info with checks timed out after %s", timeout)
-		} else {
-			// Parent context canceled (e.g. shutdown), not a timeout.
-			log.Warnf("gathering system info with checks canceled: %v", ctx.Err())
-		}
-		return nil, false
-	}
-}

client/system/info_android.go

@@ -50,7 +50,7 @@ func GetInfo(ctx context.Context) *Info {
 }
 
 // checkFileAndProcess checks if the file path exists and if a process is running at that path.
-func checkFileAndProcess(_ context.Context, _ []string) ([]File, error) {
+func checkFileAndProcess(paths []string) ([]File, error) {
 	return []File{}, nil
 }
 

client/system/info_darwin.go

@@ -32,7 +32,7 @@ func GetInfo(ctx context.Context) *Info {
 	sysName := string(bytes.Split(utsname.Sysname[:], []byte{0})[0])
 	machine := string(bytes.Split(utsname.Machine[:], []byte{0})[0])
 	release := string(bytes.Split(utsname.Release[:], []byte{0})[0])
-	swVersion, err := exec.CommandContext(ctx, "sw_vers", "-productVersion").Output()
+	swVersion, err := exec.Command("sw_vers", "-productVersion").Output()
 	if err != nil {
 		log.Warnf("got an error while retrieving macOS version with sw_vers, error: %s. Using darwin version instead.\n", err)
 		swVersion = []byte(release)

client/system/info_ios.go

@@ -105,7 +105,7 @@ func isDuplicated(addresses []NetworkAddress, addr NetworkAddress) bool {
 }
 
 // checkFileAndProcess checks if the file path exists and if a process is running at that path.
-func checkFileAndProcess(_ context.Context, _ []string) ([]File, error) {
+func checkFileAndProcess(paths []string) ([]File, error) {
 	return []File{}, nil
 }
 

client/system/info_js.go

@@ -103,7 +103,7 @@ func collectLocationInfo(info *Info) {
 	}
 }
 
-func checkFileAndProcess(_ context.Context, _ []string) ([]File, error) {
+func checkFileAndProcess(_ []string) ([]File, error) {
 	return []File{}, nil
 }
 

client/system/info_test.go

@@ -3,7 +3,6 @@ package system
 import (
 	"context"
 	"testing"
-	"time"
 
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/grpc/metadata"
@@ -35,20 +34,6 @@ func Test_CustomHostname(t *testing.T) {
 	assert.Equal(t, want, got.Hostname)
 }
 
-func TestGetInfoWithChecksTimeout_Success(t *testing.T) {
-	info, ok := GetInfoWithChecksTimeout(context.Background(), 30*time.Second, nil)
-	assert.True(t, ok, "expected gathering to complete within the timeout")
-	assert.NotNil(t, info)
-}
-
-func TestGetInfoWithChecksTimeout_Timeout(t *testing.T) {
-	// A 1ns budget expires before the (real) system-info gathering can finish, so the
-	// caller must get (nil, false) instead of blocking on the in-flight goroutine.
-	info, ok := GetInfoWithChecksTimeout(context.Background(), time.Nanosecond, nil)
-	assert.False(t, ok, "expected timeout to be reported")
-	assert.Nil(t, info)
-}
-
 func Test_NetAddresses(t *testing.T) {
 	addr, err := networkAddresses()
 	if err != nil {

client/system/process.go

@@ -3,30 +3,24 @@
 package system
 
 import (
-	"context"
 	"os"
 	"slices"
 
 	"github.com/shirou/gopsutil/v3/process"
 )
 
-// getRunningProcesses returns a list of running process paths. The context bounds the work:
-// the per-PID loop bails as soon as ctx is done, and the gopsutil calls honor it where they
-// can, so a stuck enumeration cannot run unbounded.
-func getRunningProcesses(ctx context.Context) ([]string, error) {
-	processIDs, err := process.PidsWithContext(ctx)
+// getRunningProcesses returns a list of running process paths.
+func getRunningProcesses() ([]string, error) {
+	processIDs, err := process.Pids()
 	if err != nil {
 		return nil, err
 	}
 
 	processMap := make(map[string]bool)
 	for _, pID := range processIDs {
-		if err := ctx.Err(); err != nil {
-			return nil, err
-		}
 		p := &process.Process{Pid: pID}
 
-		path, _ := p.ExeWithContext(ctx)
+		path, _ := p.Exe()
 		if path != "" {
 			processMap[path] = false
 		}
@@ -41,21 +35,18 @@ func getRunningProcesses(ctx context.Context) ([]string, error) {
 }
 
 // checkFileAndProcess checks if the file path exists and if a process is running at that path.
-func checkFileAndProcess(ctx context.Context, paths []string) ([]File, error) {
+func checkFileAndProcess(paths []string) ([]File, error) {
 	files := make([]File, len(paths))
 	if len(paths) == 0 {
 		return files, nil
 	}
 
-	runningProcesses, err := getRunningProcesses(ctx)
+	runningProcesses, err := getRunningProcesses()
 	if err != nil {
 		return nil, err
 	}
 
 	for i, path := range paths {
-		if err := ctx.Err(); err != nil {
-			return nil, err
-		}
 		file := File{Path: path}
 
 		_, err := os.Stat(path)

client/system/process_test.go

@@ -1,7 +1,6 @@
 package system
 
 import (
-	"context"
 	"testing"
 
 	"github.com/shirou/gopsutil/v3/process"
@@ -10,7 +9,7 @@ import (
 func Benchmark_getRunningProcesses(b *testing.B) {
 	b.Run("getRunningProcesses new", func(b *testing.B) {
 		for i := 0; i < b.N; i++ {
-			ps, err := getRunningProcesses(context.Background())
+			ps, err := getRunningProcesses()
 			if err != nil {
 				b.Fatalf("unexpected error: %v", err)
 			}
@@ -30,38 +29,12 @@ func Benchmark_getRunningProcesses(b *testing.B) {
 			}
 		}
 	})
-	s, _ := getRunningProcesses(context.Background())
+	s, _ := getRunningProcesses()
 	b.Logf("getRunningProcesses returned %d processes", len(s))
 	s, _ = getRunningProcessesOld()
 	b.Logf("getRunningProcessesOld returned %d processes", len(s))
 }
 
-func TestCheckFileAndProcess_ContextCanceled(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	// With a canceled context and non-empty paths the gathering must bail with an error
-	// instead of running the (potentially blocking) process scan / stat loop.
-	if _, err := checkFileAndProcess(ctx, []string{"/does/not/exist"}); err == nil {
-		t.Fatal("expected error on canceled context, got nil")
-	}
-}
-
-func TestCheckFileAndProcess_EmptyPaths(t *testing.T) {
-	// No check paths means no work to do: it must return immediately with no error,
-	// even on a canceled context (nothing to scan or stat).
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	files, err := checkFileAndProcess(ctx, nil)
-	if err != nil {
-		t.Fatalf("unexpected error for empty paths: %v", err)
-	}
-	if len(files) != 0 {
-		t.Fatalf("expected no files, got %d", len(files))
-	}
-}
-
 func getRunningProcessesOld() ([]string, error) {
 	processes, err := process.Processes()
 	if err != nil {

client/ui/client_ui.go

@@ -645,7 +645,7 @@ func (s *serviceClient) buildSetConfigRequest(iMngURL string, port, mtu int64) (
 	}
 
 	req := &proto.SetConfigRequest{
-		ProfileName: activeProf.ID.String(),
+		ProfileName: activeProf.Name,
 		Username:    currUser.Username,
 	}
 
@@ -818,15 +818,13 @@ func (s *serviceClient) login(ctx context.Context, openURL bool) (*proto.LoginRe
 		return nil, fmt.Errorf("get current user: %w", err)
 	}
 
-	handle := activeProf.ID.String()
-
 	loginReq := &proto.LoginRequest{
 		IsUnixDesktopClient: runtime.GOOS == "linux" || runtime.GOOS == "freebsd",
-		ProfileName:         &handle,
+		ProfileName:         &activeProf.Name,
 		Username:            &currUser.Username,
 	}
 
-	profileState, err := s.profileManager.GetProfileState(activeProf.ID)
+	profileState, err := s.profileManager.GetProfileState(activeProf.Name)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
@@ -1369,7 +1367,7 @@ func (s *serviceClient) getSrvConfig() {
 	}
 
 	srvCfg, err := conn.GetConfig(s.ctx, &proto.GetConfigRequest{
-		ProfileName: activeProf.ID.String(),
+		ProfileName: activeProf.Name,
 		Username:    currUser.Username,
 	})
 	if err != nil {
@@ -1615,7 +1613,7 @@ func (s *serviceClient) loadSettings() {
 	}
 
 	cfg, err := conn.GetConfig(s.ctx, &proto.GetConfigRequest{
-		ProfileName: activeProf.ID.String(),
+		ProfileName: activeProf.Name,
 		Username:    currUser.Username,
 	})
 	if err != nil {
@@ -1815,7 +1813,7 @@ func (s *serviceClient) updateConfig() error {
 	}
 
 	req := proto.SetConfigRequest{
-		ProfileName:           activeProf.ID.String(),
+		ProfileName:           activeProf.Name,
 		Username:              currUser.Username,
 		DisableAutoConnect:    &disableAutoStart,
 		ServerSSHAllowed:      &sshAllowed,

client/ui/profile.go

@@ -66,7 +66,7 @@ func (s *serviceClient) showProfilesUI() {
 			} else {
 				indicator.SetText("")
 			}
-			nameLabel.SetText(formatProfileLabel(profile, profiles))
+			nameLabel.SetText(profile.Name)
 
 			// Configure Select/Active button
 			selectBtn.SetText(func() string {
@@ -88,7 +88,7 @@ func (s *serviceClient) showProfilesUI() {
 							return
 						}
 						// switch
-						err = s.switchProfile(profile.ID)
+						err = s.switchProfile(profile.Name)
 						if err != nil {
 							log.Errorf("failed to switch profile: %v", err)
 							dialog.ShowError(errors.New("failed to select profile"), s.wProfiles)
@@ -130,7 +130,7 @@ func (s *serviceClient) showProfilesUI() {
 			logoutBtn.Show()
 			logoutBtn.SetText("Deregister")
 			logoutBtn.OnTapped = func() {
-				s.handleProfileLogout(profile, refresh)
+				s.handleProfileLogout(profile.Name, refresh)
 			}
 
 			// Remove profile
@@ -144,7 +144,7 @@ func (s *serviceClient) showProfilesUI() {
 							return
 						}
 
-						err = s.removeProfile(profile.ID)
+						err = s.removeProfile(profile.Name)
 						if err != nil {
 							log.Errorf("failed to remove profile: %v", err)
 							dialog.ShowError(fmt.Errorf("failed to remove profile"), s.wProfiles)
@@ -250,7 +250,7 @@ func (s *serviceClient) addProfile(profileName string) error {
 	return nil
 }
 
-func (s *serviceClient) switchProfile(handle string) error {
+func (s *serviceClient) switchProfile(profileName string) error {
 	conn, err := s.getSrvClient(defaultFailTimeout)
 	if err != nil {
 		return fmt.Errorf(getClientFMT, err)
@@ -261,15 +261,15 @@ func (s *serviceClient) switchProfile(handle string) error {
 		return fmt.Errorf("get current user: %w", err)
 	}
 
-	resp, err := conn.SwitchProfile(s.ctx, &proto.SwitchProfileRequest{
-		ProfileName: &handle,
+	if _, err := conn.SwitchProfile(s.ctx, &proto.SwitchProfileRequest{
+		ProfileName: &profileName,
 		Username:    &currUser.Username,
-	})
-	if err != nil {
+	}); err != nil {
 		return fmt.Errorf("switch profile failed: %w", err)
 	}
 
-	if err := s.profileManager.SwitchProfile(profilemanager.ID(resp.Id)); err != nil {
+	err = s.profileManager.SwitchProfile(profileName)
+	if err != nil {
 		return fmt.Errorf("switch profile: %w", err)
 	}
 
@@ -299,27 +299,10 @@ func (s *serviceClient) removeProfile(profileName string) error {
 }
 
 type Profile struct {
-	ID       string
 	Name     string
 	IsActive bool
 }
 
-// formatProfileLabel returns the display label for a profile. Profiles can
-// share the same Name, so when more than one profile in profiles carries this
-// Name, a short form of the ID is appended to disambiguate the entries.
-func formatProfileLabel(profile Profile, profiles []Profile) string {
-	count := 0
-	for _, p := range profiles {
-		if p.Name == profile.Name {
-			count++
-		}
-	}
-	if count <= 1 {
-		return profile.Name
-	}
-	return fmt.Sprintf("%s (%s)", profile.Name, profilemanager.ID(profile.ID).ShortID())
-}
-
 func (s *serviceClient) getProfiles() ([]Profile, error) {
 	conn, err := s.getSrvClient(defaultFailTimeout)
 	if err != nil {
@@ -341,7 +324,6 @@ func (s *serviceClient) getProfiles() ([]Profile, error) {
 
 	for _, profile := range profilesResp.Profiles {
 		profiles = append(profiles, Profile{
-			ID:       profile.Id,
 			Name:     profile.Name,
 			IsActive: profile.IsActive,
 		})
@@ -350,10 +332,10 @@ func (s *serviceClient) getProfiles() ([]Profile, error) {
 	return profiles, nil
 }
 
-func (s *serviceClient) handleProfileLogout(profile Profile, refreshCallback func()) {
+func (s *serviceClient) handleProfileLogout(profileName string, refreshCallback func()) {
 	dialog.ShowConfirm(
 		"Deregister",
-		fmt.Sprintf("Are you sure you want to deregister from '%s'?", profile.Name),
+		fmt.Sprintf("Are you sure you want to deregister from '%s'?", profileName),
 		func(confirm bool) {
 			if !confirm {
 				return
@@ -374,10 +356,8 @@ func (s *serviceClient) handleProfileLogout(profile Profile, refreshCallback fun
 			}
 
 			username := currUser.Username
-			// ProfileName is treated as a handle; send the ID so the
-			// daemon resolves to exactly this profile.
 			_, err = conn.Logout(s.ctx, &proto.LogoutRequest{
-				ProfileName: &profile.ID,
+				ProfileName: &profileName,
 				Username:    &username,
 			})
 			if err != nil {
@@ -388,7 +368,7 @@ func (s *serviceClient) handleProfileLogout(profile Profile, refreshCallback fun
 
 			dialog.ShowInformation(
 				"Deregistered",
-				fmt.Sprintf("Successfully deregistered from '%s'", profile.Name),
+				fmt.Sprintf("Successfully deregistered from '%s'", profileName),
 				s.wProfiles,
 			)
 
@@ -481,7 +461,6 @@ func (p *profileMenu) getProfiles() ([]Profile, error) {
 
 	for _, profile := range profilesResp.Profiles {
 		profiles = append(profiles, Profile{
-			ID:       profile.Id,
 			Name:     profile.Name,
 			IsActive: profile.IsActive,
 		})
@@ -522,7 +501,7 @@ func (p *profileMenu) refresh() {
 	}
 
 	if activeProf.ProfileName == "default" || activeProf.Username == currUser.Username {
-		activeProfState, err := p.profileManager.GetProfileState(profilemanager.ID(activeProf.Id))
+		activeProfState, err := p.profileManager.GetProfileState(activeProf.ProfileName)
 		if err != nil {
 			log.Warnf("failed to get active profile state: %v", err)
 			p.emailMenuItem.Hide()
@@ -533,7 +512,7 @@ func (p *profileMenu) refresh() {
 	}
 
 	for _, profile := range profiles {
-		item := p.profileMenuItem.AddSubMenuItem(formatProfileLabel(profile, profiles), "")
+		item := p.profileMenuItem.AddSubMenuItem(profile.Name, "")
 		if profile.IsActive {
 			item.Check()
 		}
@@ -562,8 +541,8 @@ func (p *profileMenu) refresh() {
 						return
 					}
 
-					switchResp, err := conn.SwitchProfile(ctx, &proto.SwitchProfileRequest{
-						ProfileName: &profile.ID,
+					_, err = conn.SwitchProfile(ctx, &proto.SwitchProfileRequest{
+						ProfileName: &profile.Name,
 						Username:    &currUser.Username,
 					})
 					if err != nil {
@@ -573,7 +552,7 @@ func (p *profileMenu) refresh() {
 						return
 					}
 
-					err = p.profileManager.SwitchProfile(profilemanager.ID(switchResp.Id))
+					err = p.profileManager.SwitchProfile(profile.Name)
 					if err != nil {
 						log.Errorf("failed to switch profile '%s': %v", profile.Name, err)
 						return
@@ -748,10 +727,7 @@ func (p *profileMenu) updateMenu() {
 			}
 
 			sort.Slice(profiles, func(i, j int) bool {
-				if profiles[i].Name != profiles[j].Name {
-					return profiles[i].Name < profiles[j].Name
-				}
-				return profiles[i].ID < profiles[j].ID
+				return profiles[i].Name < profiles[j].Name
 			})
 
 			p.mu.Lock()

combined/Dockerfile

@@ -2,5 +2,4 @@ FROM ubuntu:24.04
 RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
 ENTRYPOINT [ "/go/bin/netbird-server" ]
 CMD ["--config", "/etc/netbird/config.yaml"]
-ARG TARGETPLATFORM
-COPY ${TARGETPLATFORM}/netbird-server /go/bin/netbird-server
+COPY netbird-server /go/bin/netbird-server

infrastructure_files/getting-started-enterprise.sh

@@ -1,616 +0,0 @@
-#!/bin/bash
-
-set -e
-set -o pipefail
-
-# NetBird Enterprise — Getting Started
-# Single-node bootstrap for a self-hosted NetBird Enterprise stack with the
-# embedded identity provider. Owner is created via first-login flow.
-
-SED_STRIP_PADDING='s/=//g'
-
-check_docker_compose() {
-  if command -v docker-compose &> /dev/null; then
-    echo "docker-compose"
-    return
-  fi
-  if docker compose --help &> /dev/null; then
-    echo "docker compose"
-    return
-  fi
-  echo "docker-compose is not installed or not in PATH. See https://docs.docker.com/engine/install/" > /dev/stderr
-  exit 1
-}
-
-check_openssl() {
-  if ! command -v openssl &> /dev/null; then
-    echo "openssl is not installed or not in PATH." > /dev/stderr
-    exit 1
-  fi
-}
-
-rand_secret() {
-  openssl rand -base64 32 | sed "$SED_STRIP_PADDING"
-}
-
-rand_b64_key() {
-  openssl rand -base64 32
-}
-
-check_nb_domain() {
-  local domain="$1"
-  if [[ -z "$domain" ]]; then
-    echo "The domain cannot be empty." > /dev/stderr
-    return 1
-  fi
-  if [[ "$domain" == "netbird.example.com" ]]; then
-    echo "The domain cannot be netbird.example.com" > /dev/stderr
-    return 1
-  fi
-  if [[ "$domain" =~ ^[0-9.]+$ ]]; then
-    echo "An IP address is not allowed. A real DNS-resolvable domain is required for TLS and the embedded IdP issuer." > /dev/stderr
-    return 1
-  fi
-  if [[ ! "$domain" =~ ^[A-Za-z0-9]([A-Za-z0-9-]*[A-Za-z0-9])?(\.[A-Za-z0-9]([A-Za-z0-9-]*[A-Za-z0-9])?)+$ ]]; then
-    echo "The value '$domain' is not a valid FQDN. A real DNS-resolvable domain is required for TLS and the embedded IdP issuer." > /dev/stderr
-    return 1
-  fi
-  return 0
-}
-
-check_domain_resolves() {
-  local domain="$1"
-  if command -v getent &> /dev/null && getent hosts "$domain" &> /dev/null; then return 0; fi
-  if command -v host &> /dev/null && host "$domain" &> /dev/null; then return 0; fi
-  if command -v dig &> /dev/null && [[ -n "$(dig +short "$domain" 2>/dev/null)" ]]; then return 0; fi
-  if command -v nslookup &> /dev/null && nslookup "$domain" &> /dev/null; then return 0; fi
-  return 1
-}
-
-read_nb_domain() {
-  local value=""
-  echo -n "Enter the FQDN for NetBird (must resolve via DNS, e.g. netbird.my-domain.com): " > /dev/stderr
-  read -r value < /dev/tty
-  if ! check_nb_domain "$value"; then
-    read_nb_domain
-    return
-  fi
-  if ! check_domain_resolves "$value"; then
-    echo "" > /dev/stderr
-    echo "Warning: '$value' does not resolve via DNS from this host." > /dev/stderr
-    echo "Caddy will not be able to issue TLS certificates until it does." > /dev/stderr
-    local confirm=""
-    echo -n "Continue anyway? [y/N]: " > /dev/stderr
-    read -r confirm < /dev/tty
-    if [[ ! "$confirm" =~ ^[Yy]$ ]]; then
-      read_nb_domain
-      return
-    fi
-  fi
-  echo "$value"
-}
-
-read_required() {
-  local prompt="$1"
-  local value=""
-  while [[ -z "$value" ]]; do
-    echo -n "$prompt: " > /dev/stderr
-    read -r value < /dev/tty
-    if [[ -z "$value" ]]; then
-      echo "Value cannot be empty." > /dev/stderr
-    fi
-  done
-  echo "$value"
-}
-
-read_secret() {
-  local prompt="$1"
-  local value=""
-  while [[ -z "$value" ]]; do
-    echo -n "$prompt: " > /dev/stderr
-    read -rs value < /dev/tty
-    echo "" > /dev/stderr
-    if [[ -z "$value" ]]; then
-      echo "Value cannot be empty." > /dev/stderr
-    fi
-  done
-  echo "$value"
-}
-
-# read_yes_no "<prompt>" [<default y|n>]
-read_yes_no() {
-  local prompt="$1"
-  local default="${2:-n}"
-  local hint
-  if [[ "$default" == "y" ]]; then
-    hint="[Y/n]"
-  else
-    hint="[y/N]"
-  fi
-  echo -n "${prompt} ${hint}: " > /dev/stderr
-  local ans=""
-  read -r ans < /dev/tty
-  if [[ -z "$ans" ]]; then
-    ans="$default"
-  fi
-  case "$ans" in
-    [Yy] | [Yy][Ee][Ss]) echo "yes" ;;
-    *) echo "no" ;;
-  esac
-}
-
-wait_postgres() {
-  set +e
-  echo -n "Waiting for postgres to become ready"
-  local counter=1
-  while true; do
-    if $DOCKER_COMPOSE_COMMAND exec -T postgres pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" &> /dev/null; then
-      break
-    fi
-    if [[ $counter -eq 60 ]]; then
-      echo ""
-      echo "Postgres is taking too long. Recent logs:"
-      $DOCKER_COMPOSE_COMMAND logs --tail=20 postgres
-      exit 1
-    fi
-    echo -n " ."
-    sleep 2
-    counter=$((counter + 1))
-  done
-  echo " done"
-  set -e
-}
-
-init_environment() {
-  check_openssl
-  DOCKER_COMPOSE_COMMAND=$(check_docker_compose)
-
-  if [[ -f .env ]] || [[ -f docker-compose.yml ]] || [[ -f config.yaml ]] || [[ -f Caddyfile ]]; then
-    echo "Generated files already exist in $(pwd)."
-    echo "If you want to reinitialize the environment, please remove them first:"
-    echo "  $DOCKER_COMPOSE_COMMAND down --volumes # removes all containers and volumes"
-    echo "  rm -f .env docker-compose.yml Caddyfile config.yaml"
-    echo "Be aware this will remove all data from the database."
-    exit 1
-  fi
-
-  echo "NetBird Enterprise bootstrap"
-  echo ""
-  echo "Traffic flow:"
-  echo "  Enables traffic events logging on the management server."
-  echo "  When enabled, the NetBird stack also runs NATS along with two"
-  echo "  additional containers: netbird-receiver (the traffic log receiver"
-  echo "  service) and netbird-enricher (the traffic log enricher service)."
-  echo "  It still has to be turned on from the dashboard settings afterwards."
-  echo "  See https://docs.netbird.io/manage/activity/traffic-events-logging"
-  NETBIRD_TRAFFIC_FLOW=$(read_yes_no "Enable traffic flow" "n")
-
-  echo ""
-  NETBIRD_DOMAIN=$(read_nb_domain)
-
-  echo ""
-
-  NETBIRD_LICENSE_KEY=$(read_secret "Enter license key (input hidden)")
-
-  GHCR_USERNAME="netbirdExtAccess1"
-  GHCR_TOKEN=$(read_secret "Enter GHCR token (input hidden)")
-
-  POSTGRES_USER="netbird"
-  POSTGRES_DB="netbird"
-  POSTGRES_PASSWORD=$(rand_secret)
-  NETBIRD_ENCRYPTION_KEY=$(rand_b64_key)
-  NETBIRD_RELAY_AUTH_SECRET=$(rand_secret)
-
-  POSTGRES_DSN="host=postgres user=${POSTGRES_USER} password=${POSTGRES_PASSWORD} dbname=${POSTGRES_DB} port=5432 sslmode=disable TimeZone=UTC"
-  NETBIRD_RELAY_ENDPOINT="rels://${NETBIRD_DOMAIN}:443"
-
-  echo ""
-  echo "Selected:"
-  echo "  Traffic flow: ${NETBIRD_TRAFFIC_FLOW}"
-  echo "  Domain:       ${NETBIRD_DOMAIN}"
-  echo ""
-  echo "Rendering files into $(pwd) ..."
-  install -m 600 /dev/null .env
-  render_env >> .env
-  render_docker_compose > docker-compose.yml
-
-  if [[ -z "${NETBIRD_LICENSE_SERVER_BASE_URL:-}" ]]; then
-    sed -i.bak '/NETBIRD_LICENSE_SERVER_BASE_URL/d' docker-compose.yml && rm -f docker-compose.yml.bak
-  fi
-  render_caddyfile > Caddyfile
-  install -m 600 /dev/null config.yaml
-  render_config_yaml >> config.yaml
-
-  echo "Logging in to ghcr.io ..."
-  printf '%s' "$GHCR_TOKEN" | docker login ghcr.io -u "$GHCR_USERNAME" --password-stdin
-  unset GHCR_TOKEN
-
-  echo ""
-  echo "Pulling images ..."
-  $DOCKER_COMPOSE_COMMAND pull
-
-  echo ""
-  echo "Starting postgres ..."
-  $DOCKER_COMPOSE_COMMAND up -d postgres
-  sleep 2
-  wait_postgres
-
-  echo ""
-  echo "Starting remaining services ..."
-  $DOCKER_COMPOSE_COMMAND up -d
-
-  echo ""
-  echo "Done."
-  echo ""
-  echo "Dashboard: https://${NETBIRD_DOMAIN}"
-  echo ""
-  echo "Open the dashboard in a browser to complete the first-login owner setup."
-  echo "All configuration and secrets are stored (mode 600) in $(pwd)/.env"
-  echo ""
-  echo "Tail logs:"
-  echo "  cd $(pwd) && $DOCKER_COMPOSE_COMMAND logs -f netbird-server caddy"
-}
-
-# ------------------------------------------------------------------
-# Renderers
-# ------------------------------------------------------------------
-
-render_env() {
-  cat <<EOF
-# Generated by getting-started-enterprise.sh
-# Holds all configuration and secrets for the stack. Mode 600.
-
-# Features (set by the script; don't edit without re-running)
-NETBIRD_TRAFFIC_FLOW_ENABLED=${NETBIRD_TRAFFIC_FLOW}
-
-# Domain
-NETBIRD_DOMAIN=${NETBIRD_DOMAIN}
-
-# Image tags. Default to "latest"
-NETBIRD_DASHBOARD_TAG=${NETBIRD_DASHBOARD_TAG:-latest}
-NETBIRD_SERVER_TAG=${NETBIRD_SERVER_TAG:-latest}
-EOF
-
-  if [[ "$NETBIRD_TRAFFIC_FLOW" == "yes" ]]; then
-    cat <<EOF
-NETBIRD_ENRICHER_TAG=${NETBIRD_ENRICHER_TAG:-latest}
-NETBIRD_RECEIVER_TAG=${NETBIRD_RECEIVER_TAG:-latest}
-EOF
-  fi
-
-  cat <<EOF
-
-# License keys
-EOF
-  if [[ -n "${NETBIRD_LICENSE_SERVER_BASE_URL:-}" ]]; then
-    cat <<EOF
-NETBIRD_LICENSE_SERVER_BASE_URL=${NETBIRD_LICENSE_SERVER_BASE_URL}
-EOF
-  fi
-  cat <<EOF
-NETBIRD_LICENSE_KEY=${NETBIRD_LICENSE_KEY}
-EOF
-
-  cat <<EOF
-
-# Postgres
-POSTGRES_USER=${POSTGRES_USER}
-POSTGRES_DB=${POSTGRES_DB}
-POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
-NETBIRD_STORE_ENGINE_POSTGRES_DSN=${POSTGRES_DSN}
-
-# Relay
-NETBIRD_RELAY_ENDPOINT=${NETBIRD_RELAY_ENDPOINT}
-NETBIRD_RELAY_AUTH_SECRET=${NETBIRD_RELAY_AUTH_SECRET}
-
-# Datastore encryption
-NETBIRD_ENCRYPTION_KEY=${NETBIRD_ENCRYPTION_KEY}
-
-# Dashboard OIDC scopes
-NETBIRD_AUTH_SUPPORTED_SCOPES=${NETBIRD_AUTH_SUPPORTED_SCOPES:-openid profile email groups}
-EOF
-}
-
-render_docker_compose() {
-  render_compose_header
-  render_compose_common
-  render_compose_server
-  if [[ "$NETBIRD_TRAFFIC_FLOW" == "yes" ]]; then
-    render_compose_flow
-  fi
-  render_compose_postgres
-  render_compose_footer
-}
-
-render_compose_header() {
-  cat <<'EOF'
-x-default: &default
-  restart: unless-stopped
-  logging:
-    driver: json-file
-    options:
-      max-size: '500m'
-      max-file: '2'
-
-services:
-EOF
-}
-
-render_compose_common() {
-  cat <<'EOF'
-  caddy:
-    <<: *default
-    image: caddy:2
-    container_name: netbird-caddy
-    networks: [netbird]
-    environment:
-      - CADDY_SECURE_DOMAIN=${NETBIRD_DOMAIN}
-    ports:
-      - '443:443'
-      - '443:443/udp'
-      - '80:80'
-    volumes:
-      - netbird_caddy_data:/data
-      - ./Caddyfile:/etc/caddy/Caddyfile
-
-  dashboard:
-    <<: *default
-    image: ghcr.io/netbirdio/dashboard-cloud:${NETBIRD_DASHBOARD_TAG}
-    container_name: netbird-dashboard
-    networks: [netbird]
-    environment:
-      - NETBIRD_MGMT_API_ENDPOINT=https://${NETBIRD_DOMAIN}
-      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://${NETBIRD_DOMAIN}
-      - AUTH_AUDIENCE=netbird-dashboard
-      - AUTH_CLIENT_ID=netbird-dashboard
-      - AUTH_CLIENT_SECRET=
-      - AUTH_AUTHORITY=https://${NETBIRD_DOMAIN}/oauth2
-      - USE_AUTH0=false
-      - AUTH_SUPPORTED_SCOPES=${NETBIRD_AUTH_SUPPORTED_SCOPES}
-      - AUTH_REDIRECT_URI=/nb-auth
-      - AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
-      - NETBIRD_TOKEN_SOURCE=accessToken
-      - NGINX_SSL_PORT=443
-      - LETSENCRYPT_DOMAIN=
-      - LETSENCRYPT_EMAIL=
-
-EOF
-}
-
-render_compose_server() {
-  cat <<'EOF'
-  netbird-server:
-    <<: *default
-    image: ghcr.io/netbirdio/netbird-server-cloud:${NETBIRD_SERVER_TAG}
-    container_name: netbird-server
-    networks: [netbird]
-    depends_on:
-      dashboard:
-        condition: service_started
-      postgres:
-        condition: service_healthy
-    ports:
-      - '3478:3478/udp'
-    volumes:
-      - netbird_data:/var/lib/netbird
-      - ./config.yaml:/etc/netbird/config.yaml
-    command: ["--config", "/etc/netbird/config.yaml"]
-    environment:
-      - NB_LICENSE_KEY=${NETBIRD_LICENSE_KEY}
-      - NETBIRD_LICENSE_SERVER_BASE_URL=${NETBIRD_LICENSE_SERVER_BASE_URL}
-
-EOF
-}
-
-render_compose_flow() {
-  cat <<'EOF'
-  nats:
-    <<: *default
-    image: nats:2
-    container_name: netbird-nats
-    networks: [netbird]
-    volumes:
-      - netbird_nats_data:/data
-    command: ["-m", "8222", "--jetstream", "--store_dir", "/data"]
-
-  enricher:
-    <<: *default
-    image: ghcr.io/netbirdio/flow-enricher-cloud:${NETBIRD_ENRICHER_TAG}
-    container_name: netbird-enricher
-    networks: [netbird]
-    depends_on:
-      postgres:
-        condition: service_healthy
-      nats:
-        condition: service_started
-    volumes:
-      - netbird_enricher:/var/lib/netbird
-    environment:
-      - NB_LICENSE_KEY=${NETBIRD_LICENSE_KEY}
-      - NETBIRD_LICENSE_SERVER_BASE_URL=${NETBIRD_LICENSE_SERVER_BASE_URL}
-      - NB_DATADIR=/var/lib/netbird
-      - NB_MANAGEMENT_STORE_ENGINE=postgres
-      - NB_MANAGEMENT_POSTGRES_DSN=${NETBIRD_STORE_ENGINE_POSTGRES_DSN}
-      - NETBIRD_STORE_ENGINE_POSTGRES_DSN=${NETBIRD_STORE_ENGINE_POSTGRES_DSN}
-      - NB_TRAFFIC_EVENT_POSTGRES_DSN=${NETBIRD_STORE_ENGINE_POSTGRES_DSN}
-      - NB_TRAFFIC_EVENT_STORE_ENGINE=postgres
-      - NB_MANAGEMENT_STORE_KEY=${NETBIRD_ENCRYPTION_KEY}
-      - NB_FLOW_ADAPTER_TYPE=nats
-      - NB_FLOW_NATS_ENDPOINTS=nats://nats:4222
-      - NB_FLOW_NATS_STREAM=traffic-events
-      - NB_METRICS_PORT=9091
-      - NB_PERSISTENCE_RETENTION_PERIOD=168h
-
-  receiver:
-    <<: *default
-    image: ghcr.io/netbirdio/flow-receiver-cloud:${NETBIRD_RECEIVER_TAG}
-    container_name: netbird-receiver
-    networks: [netbird]
-    depends_on:
-      nats:
-        condition: service_started
-    environment:
-      - NB_LICENSE_KEY=${NETBIRD_LICENSE_KEY}
-      - NETBIRD_LICENSE_SERVER_BASE_URL=${NETBIRD_LICENSE_SERVER_BASE_URL}
-      - NB_FLOW_LISTEN_PORT=80
-      - NB_FLOW_ADAPTER_TYPE=nats
-      - NB_FLOW_NATS_ENDPOINTS=nats://nats:4222
-      - NB_FLOW_NATS_STREAM=traffic-events
-      - NB_FLOW_AUTH_SECRET=${NETBIRD_RELAY_AUTH_SECRET}
-
-EOF
-}
-
-render_compose_postgres() {
-  cat <<'EOF'
-  postgres:
-    <<: *default
-    image: postgres:17
-    container_name: netbird-postgres
-    networks: [netbird]
-    environment:
-      - POSTGRES_USER=${POSTGRES_USER}
-      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
-      - POSTGRES_DB=${POSTGRES_DB}
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
-      interval: 10s
-      timeout: 5s
-      retries: 10
-    volumes:
-      - netbird_postgres:/var/lib/postgresql/data
-
-EOF
-}
-
-render_compose_footer() {
-  cat <<'EOF'
-volumes:
-  netbird_data:
-EOF
-  if [[ "$NETBIRD_TRAFFIC_FLOW" == "yes" ]]; then
-    cat <<'EOF'
-  netbird_nats_data:
-  netbird_enricher:
-EOF
-  fi
-  cat <<'EOF'
-  netbird_postgres:
-  netbird_caddy_data:
-
-networks:
-  netbird:
-EOF
-}
-
-render_caddyfile() {
-  cat <<'EOF'
-{
-  servers :80,:443 {
-    protocols h1 h2c h2 h3
-  }
-}
-
-(security_headers) {
-    header * {
-        Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
-        X-Content-Type-Options "nosniff"
-        X-Frame-Options "SAMEORIGIN"
-        X-XSS-Protection "1; mode=block"
-        -Server
-        Referrer-Policy strict-origin-when-cross-origin
-    }
-}
-
-:80 {
-    redir https://{$CADDY_SECURE_DOMAIN}{uri} permanent
-}
-
-{$CADDY_SECURE_DOMAIN}:443 {
-    import security_headers
-    # Signal (gRPC over h2c)
-    reverse_proxy /signalexchange.SignalExchange/* h2c://netbird-server:80
-    # Management (gRPC over h2c + HTTP)
-    reverse_proxy /management.ManagementService/* h2c://netbird-server:80
-    reverse_proxy /api/* netbird-server:80
-    reverse_proxy /ws-proxy/* netbird-server:80
-    # Embedded IdP (OAuth2 endpoints served by netbird server)
-    reverse_proxy /oauth2/* netbird-server:80
-    # Relay (WebSocket multiplexed on the same port)
-    reverse_proxy /relay* netbird-server:80
-EOF
-
-  if [[ "$NETBIRD_TRAFFIC_FLOW" == "yes" ]]; then
-    cat <<'EOF'
-    # Flow receiver (gRPC over h2c)
-    reverse_proxy /flow.FlowService/* h2c://receiver:80
-EOF
-  fi
-
-  cat <<'EOF'
-    # Dashboard
-    reverse_proxy /* dashboard:80
-}
-EOF
-}
-
-render_config_yaml() {
-  cat <<EOF
-# NetBird Enterprise server configuration.
-# Generated by getting-started-enterprise.sh. Mode 600.
-
-server:
-  listenAddress: ":80"
-  exposedAddress: "https://${NETBIRD_DOMAIN}:443"
-
-  metricsPort: 9090
-  healthcheckAddress: ":9000"
-
-  logLevel: "info"
-  logFile: "console"
-
-  # TLS is terminated by Caddy in front; leave this block empty.
-  tls:
-    certFile: ""
-    keyFile: ""
-    letsencrypt:
-      enabled: false
-
-  authSecret: "${NETBIRD_RELAY_AUTH_SECRET}"
-  dataDir: "/var/lib/netbird/"
-
-  disableAnonymousMetrics: false
-  disableGeoliteUpdate: false
-
-  auth:
-    issuer: "https://${NETBIRD_DOMAIN}/oauth2"
-    localAuthDisabled: false
-    signKeyRefreshEnabled: false
-    dashboardRedirectURIs:
-      - "https://${NETBIRD_DOMAIN}/nb-auth"
-      - "https://${NETBIRD_DOMAIN}/nb-silent-auth"
-    cliRedirectURIs:
-      - "http://localhost:53000/"
-
-  store:
-    engine: "postgres"
-    dsn: "${POSTGRES_DSN}"
-    encryptionKey: "${NETBIRD_ENCRYPTION_KEY}"
-
-  activityStore:
-    engine: "postgres"
-    dsn: "${POSTGRES_DSN}"
-EOF
-
-  if [[ "$NETBIRD_TRAFFIC_FLOW" == "yes" ]]; then
-    cat <<EOF
-
-  trafficFlow:
-    enabled: true
-    address: "https://${NETBIRD_DOMAIN}:443"
-    interval: "60s"
-EOF
-  fi
-}
-
-init_environment

infrastructure_files/migrate-to-enterprise.sh

@@ -1,638 +0,0 @@
-#!/bin/bash
-
-set -e
-set -o pipefail
-
-# NetBird — community combined → Enterprise combined migration
-#
-# Non-destructive migration: produces docker-compose.override.yml (auto-loaded
-# by docker compose) and config.yaml.enterprise alongside the operator's
-# existing files. Original docker-compose.yml and config.yaml are never
-# modified.
-#
-# Steps (all optional, asked interactively):
-#   1. Image swap         — replace community images with enterprise cloud images.
-#   2. Postgres migration — add Postgres, migrate SQLite data via migrate-store.
-#   3. Traffic flow       — add NATS + flow-enricher + flow-receiver.
-#
-# To revert:
-#   docker compose down
-#   rm -f docker-compose.override.yml config.yaml.enterprise
-#   # If Postgres migration was done, also restore the SQLite backup printed
-#   # at the end of this script's run.
-#   docker compose up -d
-
-OVERRIDE_FILE="docker-compose.override.yml"
-ENTERPRISE_CONFIG_FILE="config.yaml.enterprise"
-
-check_docker_compose() {
-  if command -v docker-compose &> /dev/null; then
-    echo "docker-compose"
-    return
-  fi
-  if docker compose --help &> /dev/null; then
-    echo "docker compose"
-    return
-  fi
-  echo "docker-compose is not installed or not in PATH." > /dev/stderr
-  exit 1
-}
-
-check_yq() {
-  if ! command -v yq &> /dev/null; then
-    cat > /dev/stderr <<'EOF'
-yq is required to parse and update YAML safely.
-
-  macOS:   brew install yq
-  Linux:   https://github.com/mikefarah/yq/releases (download binary into PATH)
-  Debian:  apt-get install yq   (Note: must be the mikefarah Go yq, not the Python wrapper.)
-
-EOF
-    exit 1
-  fi
-  if ! yq --version 2>&1 | grep -q "mikefarah"; then
-    echo "yq is present but appears to be the wrong implementation. The mikefarah Go-based yq is required (https://github.com/mikefarah/yq)." > /dev/stderr
-    exit 1
-  fi
-}
-
-check_openssl() {
-  if ! command -v openssl &> /dev/null; then
-    echo "openssl is not installed or not in PATH." > /dev/stderr
-    exit 1
-  fi
-}
-
-rand_password() {
-  openssl rand -hex 32
-}
-
-read_required() {
-  local prompt="$1"
-  local value=""
-  while [[ -z "$value" ]]; do
-    echo -n "$prompt: " > /dev/stderr
-    read -r value < /dev/tty
-    if [[ -z "$value" ]]; then
-      echo "Value cannot be empty." > /dev/stderr
-    fi
-  done
-  echo "$value"
-}
-
-read_secret() {
-  local prompt="$1"
-  local value=""
-  while [[ -z "$value" ]]; do
-    echo -n "$prompt: " > /dev/stderr
-    read -rs value < /dev/tty
-    echo "" > /dev/stderr
-    if [[ -z "$value" ]]; then
-      echo "Value cannot be empty." > /dev/stderr
-    fi
-  done
-  echo "$value"
-}
-
-read_yes_no() {
-  local prompt="$1"
-  local default="${2:-n}"
-  local hint
-  if [[ "$default" == "y" ]]; then
-    hint="[Y/n]"
-  else
-    hint="[y/N]"
-  fi
-  echo -n "${prompt} ${hint}: " > /dev/stderr
-  local ans=""
-  read -r ans < /dev/tty
-  if [[ -z "$ans" ]]; then
-    ans="$default"
-  fi
-  case "$ans" in
-    [Yy] | [Yy][Ee][Ss]) echo "yes" ;;
-    *) echo "no" ;;
-  esac
-}
-
-# ---------------------------------------------------------------------------
-# Detection — read the operator's existing compose to find service names and
-# paths we need to override. Bail loudly if shape isn't recognised.
-# ---------------------------------------------------------------------------
-
-detect_combined_service() {
-  yq eval '.services | to_entries | map(select(.value.image | test("^netbirdio/netbird-server"))) | .[0].key // ""' "$COMPOSE_FILE"
-}
-
-detect_dashboard_service() {
-  yq eval '.services | to_entries | map(select(.value.image | test("^netbirdio/dashboard"))) | .[0].key // ""' "$COMPOSE_FILE"
-}
-
-detect_config_yaml_host_path() {
-  yq eval ".services[\"$COMBINED_SERVICE\"].volumes[] | select(. | test(\":/etc/netbird/config.yaml\")) | sub(\":/etc/netbird/config.yaml.*\"; \"\") // \"\"" "$COMPOSE_FILE" | head -1
-}
-
-detect_data_volume() {
-  yq eval ".services[\"$COMBINED_SERVICE\"].volumes[] | select(. | test(\":/var/lib/netbird\")) | sub(\":/var/lib/netbird.*\"; \"\") // \"\"" "$COMPOSE_FILE" | head -1
-}
-
-detect_exposed_address() {
-  yq eval '.server.exposedAddress // ""' "$CONFIG_YAML_HOST"
-}
-
-detect_compose_network() {
-  local tag
-  tag=$(yq eval ".services[\"$COMBINED_SERVICE\"].networks | tag" "$COMPOSE_FILE" 2>/dev/null)
-  case "$tag" in
-    "!!seq")
-      yq eval ".services[\"$COMBINED_SERVICE\"].networks[0]" "$COMPOSE_FILE"
-      ;;
-    "!!map")
-      yq eval ".services[\"$COMBINED_SERVICE\"].networks | keys | .[0]" "$COMPOSE_FILE"
-      ;;
-    *)
-      echo "default"
-      ;;
-  esac
-}
-
-# ---------------------------------------------------------------------------
-# Renderers
-# ---------------------------------------------------------------------------
-
-# Build docker-compose.override.yml from the steps the operator selected.
-# Service names match what we detected on the operator's side.
-render_override() {
-  cat <<EOF
-# Generated by migrate-to-enterprise.sh. Mode 644.
-# Merged with docker-compose.yml automatically by Docker Compose.
-# Remove this file (and config.yaml.enterprise if present) to revert.
-
-services:
-  ${DASHBOARD_SERVICE}:
-    image: \${NETBIRD_DASHBOARD_IMAGE:-ghcr.io/netbirdio/dashboard-cloud:latest}
-
-  ${COMBINED_SERVICE}:
-    image: \${NETBIRD_SERVER_IMAGE:-ghcr.io/netbirdio/netbird-server-cloud:latest}
-    environment:
-      NB_LICENSE_KEY: \${NB_LICENSE_KEY}
-      NETBIRD_LICENSE_SERVER_BASE_URL: \${NETBIRD_LICENSE_SERVER_BASE_URL}
-EOF
-
-  if [[ "$MIGRATE_POSTGRES" == "yes" ]]; then
-    cat <<EOF
-    depends_on:
-      postgres:
-        condition: service_healthy
-    volumes:
-      - ./${ENTERPRISE_CONFIG_FILE}:/etc/netbird/config.yaml.enterprise:ro
-    command: ["--config", "/etc/netbird/config.yaml.enterprise"]
-
-  postgres:
-    image: postgres:17
-    container_name: netbird-postgres
-    restart: unless-stopped
-    networks: [${COMPOSE_NETWORK}]
-    environment:
-      POSTGRES_USER: netbird
-      POSTGRES_PASSWORD: \${POSTGRES_PASSWORD}
-      POSTGRES_DB: netbird
-    volumes:
-      - netbird_postgres:/var/lib/postgresql/data
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U netbird -d netbird"]
-      interval: 5s
-      timeout: 5s
-      retries: 20
-EOF
-  fi
-
-  if [[ "$ENABLE_FLOW" == "yes" ]]; then
-    cat <<EOF
-
-  nats:
-    image: nats:2
-    container_name: netbird-nats
-    restart: unless-stopped
-    networks: [${COMPOSE_NETWORK}]
-    command: ["-m", "8222", "--jetstream", "--store_dir", "/data"]
-    volumes:
-      - netbird_nats_data:/data
-
-  flow-enricher:
-    image: ghcr.io/netbirdio/flow-enricher-cloud:latest
-    container_name: netbird-flow-enricher
-    restart: unless-stopped
-    networks: [${COMPOSE_NETWORK}]
-    depends_on:
-      postgres:
-        condition: service_healthy
-      nats:
-        condition: service_started
-    environment:
-      NB_LICENSE_KEY: \${NB_LICENSE_KEY}
-      NETBIRD_LICENSE_SERVER_BASE_URL: \${NETBIRD_LICENSE_SERVER_BASE_URL}
-      NB_DATADIR: /var/lib/netbird
-      NB_MANAGEMENT_STORE_ENGINE: postgres
-      NB_MANAGEMENT_POSTGRES_DSN: "host=postgres user=netbird password=\${POSTGRES_PASSWORD} dbname=netbird port=5432 sslmode=disable"
-      NB_STORE_ENGINE_POSTGRES_DSN: "host=postgres user=netbird password=\${POSTGRES_PASSWORD} dbname=netbird port=5432 sslmode=disable"
-      NB_TRAFFIC_EVENT_STORE_ENGINE: postgres
-      NB_TRAFFIC_EVENT_POSTGRES_DSN: "host=postgres user=netbird password=\${POSTGRES_PASSWORD} dbname=netbird port=5432 sslmode=disable"
-      NB_MANAGEMENT_STORE_KEY: \${NETBIRD_ENCRYPTION_KEY}
-      NB_FLOW_ADAPTER_TYPE: nats
-      NB_FLOW_NATS_ENDPOINTS: nats://nats:4222
-      NB_FLOW_NATS_STREAM: traffic-events
-      NB_METRICS_PORT: 9091
-      NB_PERSISTENCE_RETENTION_PERIOD: 168h
-
-  flow-receiver:
-    image: ghcr.io/netbirdio/flow-receiver-cloud:latest
-    container_name: netbird-flow-receiver
-    restart: unless-stopped
-    networks: [${COMPOSE_NETWORK}]
-    depends_on:
-      nats:
-        condition: service_started
-    environment:
-      NB_LICENSE_KEY: \${NB_LICENSE_KEY}
-      NETBIRD_LICENSE_SERVER_BASE_URL: \${NETBIRD_LICENSE_SERVER_BASE_URL}
-      NB_FLOW_LISTEN_PORT: 80
-      NB_FLOW_ADAPTER_TYPE: nats
-      NB_FLOW_NATS_ENDPOINTS: nats://nats:4222
-      NB_FLOW_NATS_STREAM: traffic-events
-      NB_FLOW_AUTH_SECRET: \${NB_FLOW_AUTH_SECRET}
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.netbird-flow.rule=Host(\`${NETBIRD_HOSTNAME}\`) && PathPrefix(\`/flow.FlowService/\`)
-      - traefik.http.routers.netbird-flow.entrypoints=websecure
-      - traefik.http.routers.netbird-flow.tls=true
-      - traefik.http.routers.netbird-flow.tls.certresolver=letsencrypt
-      - traefik.http.routers.netbird-flow.service=netbird-flow-h2c
-      - traefik.http.routers.netbird-flow.priority=100
-      - traefik.http.services.netbird-flow-h2c.loadbalancer.server.port=80
-      - traefik.http.services.netbird-flow-h2c.loadbalancer.server.scheme=h2c
-EOF
-  fi
-
-  # Volume declarations for anything new the override introduced
-  local has_volumes="no"
-  if [[ "$MIGRATE_POSTGRES" == "yes" ]] || [[ "$ENABLE_FLOW" == "yes" ]]; then
-    has_volumes="yes"
-  fi
-
-  if [[ "$has_volumes" == "yes" ]]; then
-    cat <<EOF
-
-volumes:
-EOF
-    if [[ "$MIGRATE_POSTGRES" == "yes" ]]; then
-      echo "  netbird_postgres:"
-    fi
-    if [[ "$ENABLE_FLOW" == "yes" ]]; then
-      echo "  netbird_nats_data:"
-    fi
-  fi
-}
-
-# Build config.yaml.enterprise by yq-editing the operator's existing
-# config.yaml. We don't touch the original file.
-render_enterprise_config() {
-  local pg_dsn="host=postgres user=netbird password=${POSTGRES_PASSWORD} dbname=netbird port=5432 sslmode=disable"
-
-  yq eval "
-    .server.store.engine = \"postgres\" |
-    .server.store.dsn = \"$pg_dsn\" |
-    .server.activityStore.engine = \"postgres\" |
-    .server.activityStore.dsn = \"$pg_dsn\" |
-    .server.authStore.engine = \"postgres\" |
-    .server.authStore.dsn = \"$pg_dsn\"
-  " "$CONFIG_YAML_HOST" > "$ENTERPRISE_CONFIG_FILE"
-
-  if [[ "$ENABLE_FLOW" == "yes" ]]; then
-    local flow_addr="${NETBIRD_DOMAIN}"
-    yq eval -i "
-      .server.trafficFlow.enabled = true |
-      .server.trafficFlow.address = \"$flow_addr\" |
-      .server.trafficFlow.interval = \"60s\"
-    " "$ENTERPRISE_CONFIG_FILE"
-  fi
-}
-
-# ---------------------------------------------------------------------------
-# Execution steps
-# ---------------------------------------------------------------------------
-
-resolve_data_volume() {
-  local short="$1"
-  local actual
-  # Resolve project-prefixed volume name from Docker Compose config first.
-  actual=$($DOCKER_COMPOSE_COMMAND config 2>/dev/null | yq eval ".volumes.\"$short\".name" - 2>/dev/null)
-  if [[ -n "$actual" && "$actual" != "null" ]]; then
-    echo "$actual"
-    return
-  fi
-  # Relative bind mount: docker-compose resolves it against the compose
-  # file's directory, but `docker run -v` resolves it against the current
-  # working directory. Normalize to an absolute path so both interpretations
-  # agree (and the printed revert command works from any CWD).
-  if [[ "$short" == ./* || "$short" == ../* ]]; then
-    local compose_dir
-    compose_dir="$(cd "$(dirname "$COMPOSE_FILE")" && pwd)"
-    (
-      cd "$compose_dir"
-      cd "$(dirname "$short")"
-      printf '%s/%s\n' "$(pwd)" "$(basename "$short")"
-    )
-    return
-  fi
-  # Not a named volume (e.g. an absolute bind-mount path) — use it as-is.
-  echo "$short"
-}
-
-backup_sqlite() {
-  BACKUP_DIR="$(pwd)/backups/sqlite-pre-enterprise-$(date +%Y%m%d-%H%M%S)"
-  mkdir -p "$BACKUP_DIR"
-  local data_volume_actual
-  data_volume_actual=$(resolve_data_volume "$DATA_VOLUME")
-  echo "Backing up SQLite store from volume '$data_volume_actual' to $BACKUP_DIR ..."
-  docker run --rm \
-    -v "${data_volume_actual}:/var/lib/netbird:ro" \
-    -v "${BACKUP_DIR}:/backup" \
-    busybox \
-    sh -c 'cp -a /var/lib/netbird/. /backup/ 2>/dev/null || true'
-  local copied
-  copied=$(find "$BACKUP_DIR" -mindepth 1 | head -1)
-  if [[ -z "$copied" ]]; then
-    echo "  ⚠ Backup directory is empty — the volume '$data_volume_actual' didn't contain data. Aborting." > /dev/stderr
-    exit 1
-  fi
-  echo "  done"
-}
-
-run_migrate_store() {
-  echo "Running migrate-store (SQLite → Postgres) ..."
-  $DOCKER_COMPOSE_COMMAND run --rm "$COMBINED_SERVICE" migrate-store --config /etc/netbird/config.yaml.enterprise --verify
-  echo "  done"
-}
-
-# ---------------------------------------------------------------------------
-# Main
-# ---------------------------------------------------------------------------
-
-init_migration() {
-  DOCKER_COMPOSE_COMMAND=$(check_docker_compose)
-  check_yq
-  check_openssl
-
-  COMPOSE_FILE="${COMPOSE_FILE:-docker-compose.yml}"
-
-  if [[ ! -f "$COMPOSE_FILE" ]]; then
-    echo "$COMPOSE_FILE not found in $(pwd)." > /dev/stderr
-    exit 1
-  fi
-  if [[ -f "$OVERRIDE_FILE" ]] || [[ -f "$ENTERPRISE_CONFIG_FILE" ]]; then
-    echo "Migration artifacts already exist in $(pwd):"
-    [[ -f "$OVERRIDE_FILE" ]] && echo "  $OVERRIDE_FILE"
-    [[ -f "$ENTERPRISE_CONFIG_FILE" ]] && echo "  $ENTERPRISE_CONFIG_FILE"
-    echo ""
-    echo "Either you've already migrated, or a previous run was interrupted."
-    echo "To re-run cleanly: rm -f $OVERRIDE_FILE $ENTERPRISE_CONFIG_FILE"
-    exit 1
-  fi
-
-  COMBINED_SERVICE=$(detect_combined_service)
-  DASHBOARD_SERVICE=$(detect_dashboard_service)
-  CONFIG_YAML_HOST=$(detect_config_yaml_host_path)
-  DATA_VOLUME=$(detect_data_volume)
-  COMPOSE_NETWORK=$(detect_compose_network)
-
-  if [[ -z "$COMBINED_SERVICE" ]]; then
-    echo "Could not find a service running netbirdio/netbird-server* in $COMPOSE_FILE." > /dev/stderr
-    echo "This script targets the community combined-server deployment." > /dev/stderr
-    exit 1
-  fi
-  if [[ -z "$DASHBOARD_SERVICE" ]]; then
-    echo "Could not find a service running netbirdio/dashboard* in $COMPOSE_FILE." > /dev/stderr
-    exit 1
-  fi
-  if [[ -z "$CONFIG_YAML_HOST" ]]; then
-    echo "Could not find a config.yaml mount on $COMBINED_SERVICE (expected to bind-mount to /etc/netbird/config.yaml)." > /dev/stderr
-    exit 1
-  fi
-  if [[ ! -f "$CONFIG_YAML_HOST" ]]; then
-    echo "config.yaml host file not found at $CONFIG_YAML_HOST." > /dev/stderr
-    exit 1
-  fi
-  if [[ -z "$DATA_VOLUME" ]]; then
-    echo "Could not find a volume mounted at /var/lib/netbird on $COMBINED_SERVICE." > /dev/stderr
-    exit 1
-  fi
-
-  echo "Detected existing deployment:"
-  echo "  Combined service: $COMBINED_SERVICE"
-  echo "  Dashboard:        $DASHBOARD_SERVICE"
-  echo "  config.yaml:      $CONFIG_YAML_HOST"
-  echo "  Data volume:      $DATA_VOLUME"
-  echo "  Network:          $COMPOSE_NETWORK"
-  echo ""
-
-  local proceed
-  proceed=$(read_yes_no "Proceed with migration?" "y")
-  if [[ "$proceed" != "yes" ]]; then
-    echo "Aborted."
-    exit 0
-  fi
-
-  # Step 1 — always (this is the point of the script)
-  MIGRATE_IMAGES="yes"
-  echo ""
-  echo "Step 1: Image swap (community → Enterprise). License key required."
-  NB_LICENSE_KEY=$(read_secret "  License key")
-  GHCR_USERNAME="netbirdExtAccess1"
-  GHCR_TOKEN=$(read_secret "  GHCR token (input hidden)")
-
-  # Step 2 — optional
-  echo ""
-  MIGRATE_POSTGRES=$(read_yes_no "Step 2: Migrate storage from SQLite to Postgres? (recommended)" "n")
-  if [[ "$MIGRATE_POSTGRES" == "yes" ]]; then
-    echo ""
-    echo "  ⚠  Data will be migrated from SQLite to Postgres. The SQLite store"
-    echo "     will be backed up automatically. To fully revert later, restore"
-    echo "     that backup and delete docker-compose.override.yml +"
-    echo "     config.yaml.enterprise."
-    local confirm
-    confirm=$(read_yes_no "  Continue?" "y")
-    if [[ "$confirm" != "yes" ]]; then
-      MIGRATE_POSTGRES="no"
-      echo "  Skipping Postgres migration."
-    else
-      POSTGRES_PASSWORD=$(rand_password)
-    fi
-  fi
-
-  # Step 3 — optional, only if Postgres is on (flow requires Postgres)
-  echo ""
-  if [[ "$MIGRATE_POSTGRES" == "yes" ]]; then
-    ENABLE_FLOW=$(read_yes_no "Step 3: Enable traffic flow? (requires Postgres)" "n")
-    if [[ "$ENABLE_FLOW" == "yes" ]]; then
-      # Auth secret MUST match server.authSecret from config.yaml
-      NB_FLOW_AUTH_SECRET=$(yq eval '.server.authSecret // ""' "$CONFIG_YAML_HOST")
-      if [[ -z "$NB_FLOW_AUTH_SECRET" ]] || [[ "$NB_FLOW_AUTH_SECRET" == "null" ]]; then
-        echo "Could not read server.authSecret from $CONFIG_YAML_HOST." > /dev/stderr
-        echo "Flow receiver auth must match the combined server's authSecret." > /dev/stderr
-        exit 1
-      fi
-
-      NETBIRD_DOMAIN=$(detect_exposed_address)
-      if [[ -z "$NETBIRD_DOMAIN" ]] || [[ "$NETBIRD_DOMAIN" == "null" ]]; then
-        NETBIRD_DOMAIN=$(read_required "  Public NetBird URL (e.g. https://netbird.example.com)")
-      fi
-      # Strip protocol + port to leave just the hostname for the Traefik Host() rule.
-      NETBIRD_HOSTNAME=$(echo "$NETBIRD_DOMAIN" | sed -E 's,^https?://,,' | sed 's,:.*,,' | sed 's,/.*,,')
-
-      # We need the encryption key from the existing config.yaml for the enricher
-      NETBIRD_ENCRYPTION_KEY=$(yq eval '.server.store.encryptionKey // ""' "$CONFIG_YAML_HOST")
-      if [[ -z "$NETBIRD_ENCRYPTION_KEY" ]] || [[ "$NETBIRD_ENCRYPTION_KEY" == "null" ]]; then
-        echo "Could not read server.store.encryptionKey from $CONFIG_YAML_HOST." > /dev/stderr
-        exit 1
-      fi
-    fi
-  else
-    ENABLE_FLOW="no"
-    echo "Step 3 (traffic flow) skipped — requires Postgres."
-  fi
-}
-
-apply_changes() {
-  echo ""
-  echo "Writing $OVERRIDE_FILE ..."
-  install -m 644 /dev/null "$OVERRIDE_FILE"
-  render_override > "$OVERRIDE_FILE"
-
-  if [[ -z "${NETBIRD_LICENSE_SERVER_BASE_URL:-}" ]]; then
-    sed -i.bak '/NETBIRD_LICENSE_SERVER_BASE_URL/d' "$OVERRIDE_FILE" && rm -f "$OVERRIDE_FILE.bak"
-  fi
-
-  if [[ "$MIGRATE_POSTGRES" == "yes" ]]; then
-    echo "Writing $ENTERPRISE_CONFIG_FILE ..."
-    install -m 600 /dev/null "$ENTERPRISE_CONFIG_FILE"
-    render_enterprise_config
-  fi
-
-  # Persist secrets that the override file references via env interpolation.
-  # We write them to a .env file in the current directory; docker compose
-  # picks it up automatically.
-  echo "Writing .env additions (mode 600) ..."
-  local ENV_FILE=".env"
-  touch "$ENV_FILE"
-  chmod 600 "$ENV_FILE"
-  {
-    echo ""
-    echo "# Added by migrate-to-enterprise.sh on $(date -u +%Y-%m-%dT%H:%M:%SZ)"
-    echo "NB_LICENSE_KEY=${NB_LICENSE_KEY}"
-    if [[ -n "${NETBIRD_LICENSE_SERVER_BASE_URL:-}" ]]; then
-      echo "NETBIRD_LICENSE_SERVER_BASE_URL=${NETBIRD_LICENSE_SERVER_BASE_URL}"
-    fi
-    if [[ "$MIGRATE_POSTGRES" == "yes" ]]; then
-      echo "POSTGRES_PASSWORD=${POSTGRES_PASSWORD}"
-    fi
-    if [[ "$ENABLE_FLOW" == "yes" ]]; then
-      echo "NB_FLOW_AUTH_SECRET=${NB_FLOW_AUTH_SECRET}"
-      echo "NETBIRD_ENCRYPTION_KEY=${NETBIRD_ENCRYPTION_KEY}"
-    fi
-  } >> "$ENV_FILE"
-
-  echo ""
-  echo "Logging in to ghcr.io ..."
-  printf '%s' "$GHCR_TOKEN" | docker login ghcr.io -u "$GHCR_USERNAME" --password-stdin
-  unset GHCR_TOKEN
-
-  echo ""
-  echo "Pulling enterprise images ..."
-  $DOCKER_COMPOSE_COMMAND pull
-
-  if [[ "$MIGRATE_POSTGRES" == "yes" ]]; then
-    echo ""
-    echo "Stopping existing services (volumes preserved) ..."
-    $DOCKER_COMPOSE_COMMAND down
-
-    backup_sqlite
-
-    echo ""
-    echo "Starting Postgres ..."
-    $DOCKER_COMPOSE_COMMAND up -d postgres
-
-    # Wait for healthy
-    local counter=0
-    echo -n "Waiting for Postgres to become ready"
-    while ! $DOCKER_COMPOSE_COMMAND exec -T postgres pg_isready -U netbird -d netbird &> /dev/null; do
-      echo -n " ."
-      sleep 2
-      counter=$((counter + 1))
-      if [[ $counter -ge 60 ]]; then
-        echo ""
-        echo "Postgres did not become ready in 120s. Recent logs:"
-        $DOCKER_COMPOSE_COMMAND logs --tail=20 postgres
-        exit 1
-      fi
-    done
-    echo " done"
-
-    run_migrate_store
-  fi
-
-  echo ""
-  echo "Bringing up all services ..."
-  $DOCKER_COMPOSE_COMMAND up -d
-
-  echo ""
-  echo "Migration complete."
-}
-
-print_summary() {
-  echo ""
-  echo "──────────────────────────────────────────────────────────────────────"
-  echo " Summary"
-  echo "──────────────────────────────────────────────────────────────────────"
-  echo "  Images:           swapped to enterprise"
-  [[ "$MIGRATE_POSTGRES" == "yes" ]] && echo "  Storage:          Postgres (data migrated from SQLite)"
-  [[ "$MIGRATE_POSTGRES" != "yes" ]] && echo "  Storage:          SQLite (unchanged)"
-  [[ "$ENABLE_FLOW" == "yes" ]] && echo "  Traffic flow:     enabled"
-  [[ "$ENABLE_FLOW" != "yes" ]] && echo "  Traffic flow:     disabled"
-  echo ""
-  echo "  Generated files (next to your docker-compose.yml):"
-  echo "    $OVERRIDE_FILE"
-  [[ "$MIGRATE_POSTGRES" == "yes" ]] && echo "    $ENTERPRISE_CONFIG_FILE"
-  echo "    .env  (license key + secrets, mode 600)"
-  [[ "$MIGRATE_POSTGRES" == "yes" ]] && echo "    backups/sqlite-pre-enterprise-*/  (SQLite backup)"
-  echo ""
-  echo " Tail logs:"
-  echo "   $DOCKER_COMPOSE_COMMAND logs -f $COMBINED_SERVICE"
-  echo ""
-  echo "──────────────────────────────────────────────────────────────────────"
-  echo " To revert"
-  echo "──────────────────────────────────────────────────────────────────────"
-  echo "  $DOCKER_COMPOSE_COMMAND down"
-  if [[ "$MIGRATE_POSTGRES" == "yes" ]]; then
-    # Resolve project-prefixed volume names now (before override is removed).
-    local pg_volume data_volume_actual
-    pg_volume=$(resolve_data_volume "netbird_postgres")
-    data_volume_actual=$(resolve_data_volume "$DATA_VOLUME")
-    echo "  # Remove the Postgres volume FIRST, before deleting the override file:"
-    echo "  docker volume rm $pg_volume"
-    echo "  # Restore SQLite from the backup created during this run:"
-    echo "  docker run --rm -v ${data_volume_actual}:/var/lib/netbird -v ${BACKUP_DIR}:/backup busybox sh -c 'cp -a /backup/. /var/lib/netbird/'"
-  fi
-  echo "  rm -f $OVERRIDE_FILE $ENTERPRISE_CONFIG_FILE"
-  echo "  # Remove migrate-to-enterprise.sh additions from .env (search for the timestamp marker)"
-  echo "  $DOCKER_COMPOSE_COMMAND up -d"
-  echo "──────────────────────────────────────────────────────────────────────"
-}
-
-# ---------------------------------------------------------------------------
-# Run
-# ---------------------------------------------------------------------------
-
-init_migration
-apply_changes
-print_summary

management/Dockerfile

@@ -2,5 +2,4 @@ FROM ubuntu:24.04
 RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
 ENTRYPOINT [ "/go/bin/netbird-mgmt","management"]
 CMD ["--log-file", "console"]
-ARG TARGETPLATFORM
-COPY ${TARGETPLATFORM}/netbird-mgmt /go/bin/netbird-mgmt
+COPY netbird-mgmt /go/bin/netbird-mgmt

management/Dockerfile.debug

@@ -0,0 +1,5 @@
+FROM ubuntu:24.04
+RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
+ENTRYPOINT [ "/go/bin/netbird-mgmt","management","--log-level","debug"]
+CMD ["--log-file", "console"]
+COPY netbird-mgmt /go/bin/netbird-mgmt

management/internals/modules/reverseproxy/service/manager/manager_test.go

@@ -434,7 +434,7 @@ func TestDeletePeerService_SourcePeerValidation(t *testing.T) {
 		t.Helper()
 		tokenStore := nbgrpc.NewOneTimeTokenStore(context.Background(), testCacheStore(t))
 		pkceStore := nbgrpc.NewPKCEVerifierStore(context.Background(), testCacheStore(t))
-		srv := nbgrpc.NewProxyServiceServer(nil, tokenStore, pkceStore, nbgrpc.ProxyOIDCConfig{}, nil, nil, nil, nil, nil)
+		srv := nbgrpc.NewProxyServiceServer(nil, tokenStore, pkceStore, nbgrpc.ProxyOIDCConfig{}, nil, nil, nil, nil)
 		return srv
 	}
 
@@ -723,7 +723,7 @@ func setupIntegrationTest(t *testing.T) (*Manager, store.Store) {
 
 	tokenStore := nbgrpc.NewOneTimeTokenStore(ctx, testCacheStore(t))
 	pkceStore := nbgrpc.NewPKCEVerifierStore(ctx, testCacheStore(t))
-	proxySrv := nbgrpc.NewProxyServiceServer(nil, tokenStore, pkceStore, nbgrpc.ProxyOIDCConfig{}, nil, nil, nil, nil, nil)
+	proxySrv := nbgrpc.NewProxyServiceServer(nil, tokenStore, pkceStore, nbgrpc.ProxyOIDCConfig{}, nil, nil, nil, nil)
 
 	proxyController, err := proxymanager.NewGRPCController(proxySrv, noop.NewMeterProvider().Meter(""))
 	require.NoError(t, err)
@@ -1147,7 +1147,7 @@ func TestDeleteService_DeletesTargets(t *testing.T) {
 
 	tokenStore := nbgrpc.NewOneTimeTokenStore(ctx, testCacheStore(t))
 	pkceStore := nbgrpc.NewPKCEVerifierStore(ctx, testCacheStore(t))
-	proxySrv := nbgrpc.NewProxyServiceServer(nil, tokenStore, pkceStore, nbgrpc.ProxyOIDCConfig{}, nil, nil, nil, nil, nil)
+	proxySrv := nbgrpc.NewProxyServiceServer(nil, tokenStore, pkceStore, nbgrpc.ProxyOIDCConfig{}, nil, nil, nil, nil)
 
 	proxyController, err := proxymanager.NewGRPCController(proxySrv, noop.NewMeterProvider().Meter(""))
 	require.NoError(t, err)

management/internals/server/boot.go

@@ -219,7 +219,7 @@ func (s *BaseServer) GRPCServer() *grpc.Server {
 
 func (s *BaseServer) ReverseProxyGRPCServer() *nbgrpc.ProxyServiceServer {
 	return Create(s, func() *nbgrpc.ProxyServiceServer {
-		proxyService := nbgrpc.NewProxyServiceServer(s.AccessLogsManager(), s.ProxyTokenStore(), s.PKCEVerifierStore(), s.proxyOIDCConfig(), s.PeersManager(), s.UsersManager(), s.IdpManager(), s.ProxyManager(), s.Store())
+		proxyService := nbgrpc.NewProxyServiceServer(s.AccessLogsManager(), s.ProxyTokenStore(), s.PKCEVerifierStore(), s.proxyOIDCConfig(), s.PeersManager(), s.UsersManager(), s.ProxyManager(), s.Store())
 		s.AfterInit(func(s *BaseServer) {
 			proxyService.SetServiceManager(s.ServiceManager())
 			proxyService.SetProxyController(s.ServiceProxyController())

management/internals/shared/grpc/proxy.go

@@ -33,8 +33,6 @@ import (
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy"
 	rpservice "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/sessionkey"
-	"github.com/netbirdio/netbird/management/server/idp"
-	"github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/management/server/users"
 	proxyauth "github.com/netbirdio/netbird/proxy/auth"
@@ -84,9 +82,6 @@ type ProxyServiceServer struct {
 	// Manager for users
 	usersManager users.Manager
 
-	// Manager for IdP-enriched user data (may be nil when no IdP is configured)
-	idpManager idp.Manager
-
 	// Store for one-time authentication tokens
 	tokenStore *OneTimeTokenStore
 
@@ -162,7 +157,7 @@ func enforceAccountScope(ctx context.Context, requestAccountID string) error {
 }
 
 // NewProxyServiceServer creates a new proxy service server.
-func NewProxyServiceServer(accessLogMgr accesslogs.Manager, tokenStore *OneTimeTokenStore, pkceStore *PKCEVerifierStore, oidcConfig ProxyOIDCConfig, peersManager peers.Manager, usersManager users.Manager, idpManager idp.Manager, proxyMgr proxy.Manager, tokenChecker ProxyTokenChecker) *ProxyServiceServer {
+func NewProxyServiceServer(accessLogMgr accesslogs.Manager, tokenStore *OneTimeTokenStore, pkceStore *PKCEVerifierStore, oidcConfig ProxyOIDCConfig, peersManager peers.Manager, usersManager users.Manager, proxyMgr proxy.Manager, tokenChecker ProxyTokenChecker) *ProxyServiceServer {
 	ctx, cancel := context.WithCancel(context.Background())
 	s := &ProxyServiceServer{
 		accessLogManager:  accessLogMgr,
@@ -171,7 +166,6 @@ func NewProxyServiceServer(accessLogMgr accesslogs.Manager, tokenStore *OneTimeT
 		pkceVerifierStore: pkceStore,
 		peersManager:      peersManager,
 		usersManager:      usersManager,
-		idpManager:        idpManager,
 		proxyManager:      proxyMgr,
 		tokenChecker:      tokenChecker,
 		snapshotBatchSize: snapshotBatchSizeFromEnv(),
@@ -1708,7 +1702,22 @@ func (s *ProxyServiceServer) ValidateTunnelPeer(ctx context.Context, req *proto.
 	}
 
 	groupIDs, groupNames := pairGroupIDsAndNames(peerGroups)
-	principalID, displayIdentity := s.getTunnelPeerInfo(ctx, domain, service, peer)
+
+	// Resolve the principal: when the peer is linked to a user, the human
+	// is the principal so multiple peers owned by the same user share a
+	// single identity. Unlinked peers (machine agents) are their own
+	// principal keyed on peer.ID. displayIdentity is what upstream gateways
+	// tag spend with — user.Email when linked, peer.Name when not.
+	principalID := peer.ID
+	displayIdentity := peer.Name
+	if peer.UserID != "" {
+		if user, uerr := s.usersManager.GetUser(ctx, peer.UserID); uerr == nil && user != nil {
+			principalID = user.Id
+			if user.Email != "" {
+				displayIdentity = user.Email
+			}
+		}
+	}
 
 	if err := checkPeerGroupAccess(service, groupIDs); err != nil {
 		log.WithFields(log.Fields{"domain": domain, "peer_id": peer.ID, "error": err.Error()}).Debug("ValidateTunnelPeer: access denied")
@@ -1745,45 +1754,6 @@ func (s *ProxyServiceServer) ValidateTunnelPeer(ctx context.Context, req *proto.
 	}, nil
 }
 
-// getTunnelPeerInfo returns the principal ID and display name for a peer, e.g. a
-// user or peer ID, and peer name or user email.
-func (s *ProxyServiceServer) getTunnelPeerInfo(ctx context.Context, domain string, service *rpservice.Service, peer *peer.Peer) (string, string) {
-	// Resolve the principal: when the peer is linked to a user, the human is the
-	// principal so multiple peers owned by the same user share a single
-	// identity. Unlinked peers (machine agents) are their own principal keyed on
-	// peer.ID. displayIdentity is what upstream gateways tag spend with —
-	// user.Email when linked, peer.Name when not.
-
-	// If the peer isn't associated with a user, return the peer info directly.
-	if peer.UserID == "" {
-		return peer.ID, peer.Name
-	}
-
-	// Otherwise, if the peer is linked to a user, the user is the principal and
-	// if an IdP is available, we gather details on the user from it.
-	principalID := peer.UserID
-	displayIdentity := peer.Name
-	// Stored column first (cheap, but often empty for OIDC-provisioned users).
-	if user, uerr := s.usersManager.GetUser(ctx, peer.UserID); uerr == nil && user != nil {
-		principalID = user.Id
-		if user.Email != "" {
-			displayIdentity = user.Email
-		}
-	}
-	// IdP enrichment wins when available — the stored email column is a
-	// best-effort cache and is frequently empty for OIDC users. Enrichment
-	// failures must never fail the RPC; we simply keep the stored/peer identity.
-	if s.idpManager != nil {
-		if ud, uerr := s.idpManager.GetUserDataByID(ctx, peer.UserID, idp.AppMetadata{WTAccountID: service.AccountID}); uerr == nil && ud != nil && ud.Email != "" {
-			displayIdentity = ud.Email
-		} else if uerr != nil {
-			log.WithFields(log.Fields{"domain": domain, "user_id": peer.UserID, "error": uerr.Error()}).Debug("ValidateTunnelPeer: IdP user enrichment failed; using stored/peer identity")
-		}
-	}
-
-	return principalID, displayIdentity
-}
-
 // checkPeerGroupAccess gates ValidateTunnelPeer by the service's required
 // groups. Private services authorise against AccessGroups (empty list fails
 // closed — Validate() rejects that at save time but the RPC is the security

management/internals/shared/grpc/proxy_group_access_test.go

@@ -3,19 +3,14 @@ package grpc
 import (
 	"context"
 	"errors"
-	"net"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
-	"github.com/netbirdio/netbird/management/server/idp"
-	"github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/management/proto"
 )
 
 type mockReverseProxyManager struct {
@@ -142,52 +137,6 @@ func (m *mockUsersManager) GetUserWithGroups(ctx context.Context, userID string)
 	return user, nil, nil
 }
 
-// mockTunnelPeersManager implements only the two peers.Manager methods that
-// ValidateTunnelPeer calls; the embedded interface satisfies the rest (and
-// panics if any unexpected method is invoked).
-type mockTunnelPeersManager struct {
-	peers.Manager
-	peer      *peer.Peer
-	peerErr   error
-	groups    []*types.Group
-	groupsErr error
-}
-
-func (m *mockTunnelPeersManager) GetPeerByTunnelIP(_ context.Context, _ string, _ net.IP) (*peer.Peer, error) {
-	return m.peer, m.peerErr
-}
-
-func (m *mockTunnelPeersManager) GetPeerWithGroups(_ context.Context, _, _ string) (*peer.Peer, []*types.Group, error) {
-	return m.peer, m.groups, m.groupsErr
-}
-
-// mockTunnelIdpManager implements only GetUserDataByID; the embedded interface
-// satisfies the rest of idp.Manager. hasData==false returns (nil, nil) to model
-// an IdP that knows nothing about the user.
-type mockTunnelIdpManager struct {
-	idp.Manager
-	email    string
-	hasData  bool
-	err      error
-	gotCalls int
-	gotMeta  []idp.AppMetadata
-}
-
-func (m *mockTunnelIdpManager) GetUserDataByID(_ context.Context, userID string, meta idp.AppMetadata) (*idp.UserData, error) {
-	m.gotCalls++
-	m.gotMeta = append(m.gotMeta, meta)
-	if m.err != nil {
-		return nil, m.err
-	}
-	if !m.hasData {
-		// This might not be a thing any of the actual IDP implementations do,
-		// i.e. return a nil value with no error, but it seems valuable to test
-		// that behavior here.
-		return nil, nil //nolint:nilnil
-	}
-	return &idp.UserData{ID: userID, Email: m.email}, nil
-}
-
 func TestValidateUserGroupAccess(t *testing.T) {
 	tests := []struct {
 		name             string
@@ -405,163 +354,6 @@ func TestValidateUserGroupAccess(t *testing.T) {
 	}
 }
 
-// TestValidateTunnelPeerUserEmailEnrichment verifies the UserEmail/UserId
-// resolution in ValidateTunnelPeer, including the IdP-enrichment fallback order
-// (IdP email -> stored User.Email -> peer.Name).
-func TestValidateTunnelPeerUserEmailEnrichment(t *testing.T) {
-	const (
-		domain    = "app.example.com"
-		accountID = "account1"
-		peerID    = "peer1"
-		peerName  = "peer-display-name"
-		userID    = "user1"
-	)
-
-	storedUser := map[string]*types.User{userID: {Id: userID, AccountID: accountID, Email: "stored@example.com"}}
-	storedUserNoEmail := map[string]*types.User{userID: {Id: userID, AccountID: accountID, Email: ""}}
-
-	tests := []struct {
-		name         string
-		peerUserID   string
-		storedUsers  map[string]*types.User
-		storedErr    error
-		noIdP        bool
-		idpEmail     string
-		idpHasData   bool
-		idpErr       error
-		expectEmail  string
-		expectUserID string
-		expectIdPHit bool
-	}{
-		{
-			name:         "idp email wins over stored email",
-			peerUserID:   userID,
-			storedUsers:  storedUser,
-			idpEmail:     "idp@example.com",
-			idpHasData:   true,
-			expectEmail:  "idp@example.com",
-			expectUserID: userID,
-			expectIdPHit: true,
-		},
-		{
-			name:         "stored email when idp returns empty email",
-			peerUserID:   userID,
-			storedUsers:  storedUser,
-			idpEmail:     "",
-			idpHasData:   true,
-			expectEmail:  "stored@example.com",
-			expectUserID: userID,
-			expectIdPHit: true,
-		},
-		{
-			name:         "stored email when idp has no data",
-			peerUserID:   userID,
-			storedUsers:  storedUser,
-			idpHasData:   false,
-			expectEmail:  "stored@example.com",
-			expectUserID: userID,
-			expectIdPHit: true,
-		},
-		{
-			name:         "stored email when idp errors",
-			peerUserID:   userID,
-			storedUsers:  storedUser,
-			idpErr:       errors.New("idp unreachable"),
-			expectEmail:  "stored@example.com",
-			expectUserID: userID,
-			expectIdPHit: true,
-		},
-		{
-			name:         "stored email when no idp manager",
-			peerUserID:   userID,
-			storedUsers:  storedUser,
-			noIdP:        true,
-			expectEmail:  "stored@example.com",
-			expectUserID: userID,
-		},
-		{
-			name:         "idp email when stored email is empty",
-			peerUserID:   userID,
-			storedUsers:  storedUserNoEmail,
-			idpEmail:     "idp@example.com",
-			idpHasData:   true,
-			expectEmail:  "idp@example.com",
-			expectUserID: userID,
-			expectIdPHit: true,
-		},
-		{
-			name:         "idp email when stored user missing keeps peer.UserID as principal",
-			peerUserID:   userID,
-			storedUsers:  map[string]*types.User{},
-			idpEmail:     "idp@example.com",
-			idpHasData:   true,
-			expectEmail:  "idp@example.com",
-			expectUserID: userID,
-			expectIdPHit: true,
-		},
-		{
-			name:         "unlinked peer uses peer name and never consults idp",
-			peerUserID:   "",
-			storedUsers:  storedUser,
-			idpEmail:     "idp@example.com",
-			idpHasData:   true,
-			expectEmail:  peerName,
-			expectUserID: peerID,
-			expectIdPHit: false,
-		},
-		{
-			name:         "linked peer with empty stored email and no idp falls back to peer name",
-			peerUserID:   userID,
-			storedUsers:  storedUserNoEmail,
-			noIdP:        true,
-			expectEmail:  peerName,
-			expectUserID: userID,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			svc := &service.Service{Domain: domain, AccountID: accountID}
-			server := &ProxyServiceServer{
-				serviceManager: &mockReverseProxyManager{
-					proxiesByAccount: map[string][]*service.Service{accountID: {svc}},
-				},
-				peersManager: &mockTunnelPeersManager{
-					peer: &peer.Peer{ID: peerID, Name: peerName, UserID: tt.peerUserID},
-				},
-				usersManager: &mockUsersManager{users: tt.storedUsers, err: tt.storedErr},
-			}
-
-			var idpMock *mockTunnelIdpManager
-			if !tt.noIdP {
-				idpMock = &mockTunnelIdpManager{email: tt.idpEmail, hasData: tt.idpHasData, err: tt.idpErr}
-				server.idpManager = idpMock
-			}
-
-			resp, err := server.ValidateTunnelPeer(context.Background(), &proto.ValidateTunnelPeerRequest{
-				Domain:   domain,
-				TunnelIp: "100.64.0.1",
-			})
-
-			require.NoError(t, err)
-			require.NotNil(t, resp)
-			assert.True(t, resp.GetValid(), "expected access granted")
-			assert.Equal(t, tt.expectEmail, resp.GetUserEmail())
-			assert.Equal(t, tt.expectUserID, resp.GetUserId())
-
-			if idpMock != nil {
-				if tt.expectIdPHit {
-					assert.Equal(t, 1, idpMock.gotCalls, "expected IdP to be consulted")
-					require.Len(t, idpMock.gotMeta, 1)
-					assert.Equal(t, accountID, idpMock.gotMeta[0].WTAccountID)
-				} else {
-					assert.Equal(t, 0, idpMock.gotCalls, "expected IdP to not be consulted")
-				}
-			}
-		})
-	}
-}
-
 func TestGetAccountProxyByDomain(t *testing.T) {
 	tests := []struct {
 		name             string

management/internals/shared/grpc/validate_session_test.go

@@ -42,7 +42,7 @@ func setupValidateSessionTest(t *testing.T) *validateSessionTestSetup {
 	tokenStore := NewOneTimeTokenStore(ctx, testCacheStore(t))
 	pkceStore := NewPKCEVerifierStore(ctx, testCacheStore(t))
 
-	proxyService := NewProxyServiceServer(nil, tokenStore, pkceStore, ProxyOIDCConfig{}, nil, usersManager, nil, proxyManager, nil)
+	proxyService := NewProxyServiceServer(nil, tokenStore, pkceStore, ProxyOIDCConfig{}, nil, usersManager, proxyManager, nil)
 	proxyService.SetServiceManager(serviceManager)
 
 	createTestProxies(t, ctx, testStore)

management/server/account_test.go

@@ -3215,7 +3215,7 @@ func createManager(t testing.TB) (*DefaultAccountManager, *update_channel.PeersU
 		return nil, nil, err
 	}
 
-	proxyGrpcServer := nbgrpc.NewProxyServiceServer(nil, nil, nil, nbgrpc.ProxyOIDCConfig{}, peersManager, nil, nil, proxyManager, nil)
+	proxyGrpcServer := nbgrpc.NewProxyServiceServer(nil, nil, nil, nbgrpc.ProxyOIDCConfig{}, peersManager, nil, proxyManager, nil)
 	proxyController, err := proxymanager.NewGRPCController(proxyGrpcServer, noop.Meter{})
 	if err != nil {
 		return nil, nil, err

management/server/http/handlers/proxy/auth_callback_integration_test.go

@@ -217,7 +217,6 @@ func setupAuthCallbackTest(t *testing.T) *testSetup {
 		usersManager,
 		nil,
 		nil,
-		nil,
 	)
 
 	proxyService.SetServiceManager(&testServiceManager{store: testStore})

management/server/http/testing/testing_tools/channel/channel.go

@@ -110,7 +110,7 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 	if err != nil {
 		t.Fatalf("Failed to create proxy manager: %v", err)
 	}
-	proxyServiceServer := nbgrpc.NewProxyServiceServer(accessLogsManager, proxyTokenStore, pkceverifierStore, nbgrpc.ProxyOIDCConfig{}, peersManager, userManager, nil, proxyMgr, nil)
+	proxyServiceServer := nbgrpc.NewProxyServiceServer(accessLogsManager, proxyTokenStore, pkceverifierStore, nbgrpc.ProxyOIDCConfig{}, peersManager, userManager, proxyMgr, nil)
 	domainManager := manager.NewManager(store, proxyMgr, permissionsManager, am)
 	serviceProxyController, err := proxymanager.NewGRPCController(proxyServiceServer, noopMeter)
 	if err != nil {
@@ -240,7 +240,7 @@ func BuildApiBlackBoxWithDBStateAndPeerChannel(t testing_tools.TB, sqlFile strin
 	if err != nil {
 		t.Fatalf("Failed to create proxy manager: %v", err)
 	}
-	proxyServiceServer := nbgrpc.NewProxyServiceServer(accessLogsManager, proxyTokenStore, pkceverifierStore, nbgrpc.ProxyOIDCConfig{}, peersManager, userManager, nil, proxyMgr, nil)
+	proxyServiceServer := nbgrpc.NewProxyServiceServer(accessLogsManager, proxyTokenStore, pkceverifierStore, nbgrpc.ProxyOIDCConfig{}, peersManager, userManager, proxyMgr, nil)
 	domainManager := manager.NewManager(store, proxyMgr, permissionsManager, am)
 	serviceProxyController, err := proxymanager.NewGRPCController(proxyServiceServer, noopMeter)
 	if err != nil {

management/server/peer.go

@@ -982,6 +982,7 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 	var peer *nbpeer.Peer
 	var updated, versionChanged, ipv6CapabilityChanged bool
 	var err error
+	var peerGroupIDs []string
 
 	settings, err := am.Store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
@@ -1009,8 +1010,13 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 			return status.NewPeerLoginExpiredError()
 		}
 
+		peerGroupIDs, err = getPeerGroupIDs(ctx, transaction, accountID, peer.ID)
+		if err != nil {
+			return err
+		}
+
 		oldHasIPv6Cap := peer.HasCapability(nbpeer.PeerCapabilityIPv6Overlay)
-		updated, versionChanged = peer.UpdateMetaIfNew(ctx, sync.Meta)
+		updated, versionChanged = peer.UpdateMetaIfNew(sync.Meta)
 		ipv6CapabilityChanged = oldHasIPv6Cap != peer.HasCapability(nbpeer.PeerCapabilityIPv6Overlay)
 		if updated {
 			am.metrics.AccountManagerMetrics().CountPeerMetUpdate()
@@ -1025,11 +1031,6 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 		return nil, nil, nil, 0, err
 	}
 
-	peerGroupIDs, err := getPeerGroupIDs(ctx, am.Store, accountID, peer.ID)
-	if err != nil {
-		return nil, nil, nil, 0, err
-	}
-
 	peerNotValid, isStatusChanged, err := am.integratedPeerValidator.IsNotValidPeer(ctx, accountID, peer, peerGroupIDs, settings.Extra)
 	if err != nil {
 		return nil, nil, nil, 0, err
@@ -1040,9 +1041,10 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 		return nil, nil, nil, 0, err
 	}
 
-	if isStatusChanged || sync.UpdateAccountPeers || ipv6CapabilityChanged || (updated && (len(resPostureChecks) > 0 || versionChanged)) {
+	if isStatusChanged || sync.UpdateAccountPeers || ipv6CapabilityChanged || updated || versionChanged {
 		changedPeerIDs := []string{peer.ID}
-		affectedPeerIDs := am.syncPeerAffectedPeers(ctx, accountID, peer.ID, nmap, peerNotValid, updated, len(resPostureChecks) > 0)
+		affectedPeerIDs := am.syncPeerAffectedPeers(ctx, accountID, peer.ID, nmap, peerNotValid, updated)
+		log.Infof("Sync: peer %s affected peers %s", peer.ID, affectedPeerIDs)
 		if err = am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs); err != nil {
 			return nil, nil, nil, 0, fmt.Errorf("notify network map controller of peer update: %w", err)
 		}
@@ -1059,8 +1061,8 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 // metadata change that flips a posture result removes this peer from others'
 // maps asymmetrically; that case (and an invalid peer, whose map is empty) falls
 // back to the resolver.
-func (am *DefaultAccountManager) syncPeerAffectedPeers(ctx context.Context, accountID, peerID string, nmap *types.NetworkMap, peerNotValid, metaUpdated, hasPostureChecks bool) []string {
-	if peerNotValid || (metaUpdated && hasPostureChecks) {
+func (am *DefaultAccountManager) syncPeerAffectedPeers(ctx context.Context, accountID, peerID string, nmap *types.NetworkMap, peerNotValid, metaUpdated bool) []string {
+	if peerNotValid || metaUpdated {
 		return am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, []string{peerID})
 	}
 	return affectedPeerIDsFromNetworkMap(nmap, peerID)
@@ -1117,7 +1119,7 @@ func (am *DefaultAccountManager) LoginPeer(ctx context.Context, login types.Peer
 	}
 
 	var peer *nbpeer.Peer
-	var shouldStorePeer, shouldUpdatePeers bool
+	var shouldStorePeer bool
 	var peerGroupIDs []string
 
 	settings, err := am.Store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
@@ -1144,10 +1146,14 @@ func (am *DefaultAccountManager) LoginPeer(ctx context.Context, login types.Peer
 
 			if changed {
 				shouldStorePeer = true
-				shouldUpdatePeers = true
 			}
 		}
 
+		peerGroupIDs, err = getPeerGroupIDs(ctx, transaction, accountID, peer.ID)
+		if err != nil {
+			return err
+		}
+
 		if peer.SSHKey != login.SSHKey {
 			peer.SSHKey = login.SSHKey
 			shouldStorePeer = true
@@ -1163,21 +1169,15 @@ func (am *DefaultAccountManager) LoginPeer(ctx context.Context, login types.Peer
 			}
 		}
 
+		peer.UpdateMetaIfNew(login.Meta)
+
 		return nil
 	})
 	if err != nil {
 		return nil, nil, nil, false, err
 	}
 
-	// This is needed to keep in memory for the peer config. Otherwise browser client will end in a retry loop
-	peer.Meta = login.Meta
-
-	peerGroupIDs, err = getPeerGroupIDs(ctx, am.Store, accountID, peer.ID)
-	if err != nil {
-		return nil, nil, nil, false, err
-	}
-
-	isRequiresApproval, _, err := am.integratedPeerValidator.IsNotValidPeer(ctx, accountID, peer, peerGroupIDs, settings.Extra)
+	isRequiresApproval, isStatusChanged, err := am.integratedPeerValidator.IsNotValidPeer(ctx, accountID, peer, peerGroupIDs, settings.Extra)
 	if err != nil {
 		return nil, nil, nil, false, err
 	}
@@ -1187,7 +1187,11 @@ func (am *DefaultAccountManager) LoginPeer(ctx context.Context, login types.Peer
 		return nil, nil, nil, false, err
 	}
 
-	if shouldUpdatePeers {
+	changedPeerIDs := []string{peer.ID}
+	affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
+	log.Infof("Login: peer %s affected peers %s", peer.ID, affectedPeerIDs)
+
+	if isStatusChanged || shouldStorePeer {
 		changedPeerIDs := []string{peer.ID}
 		affectedPeerIDs := am.resolveAffectedPeersForPeerChanges(ctx, am.Store, accountID, changedPeerIDs)
 		if err = am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs); err != nil {
@@ -1283,39 +1287,45 @@ func getPeerLoginInfo(ctx context.Context, transaction store.Store, accountID st
 		return network, nil, false, nil
 	}
 
-	policies, err := transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
+	postureChecks, err := getPeerPostureChecks(ctx, transaction, accountID, peer.ID)
 	if err != nil {
 		return nil, nil, false, err
 	}
 
-	peerGroupIDs, err := transaction.GetPeerGroupIDs(ctx, store.LockingStrengthNone, accountID, peer.ID)
+	_, err = isPeerSSHEnabled(ctx, transaction, accountID, peer)
 	if err != nil {
 		return nil, nil, false, err
 	}
 
-	postureChecks, err := getPeerPostureChecks(ctx, transaction, accountID, peerGroupIDs, policies)
-	if err != nil {
-		return nil, nil, false, err
-	}
-
-	enableSSH, err := isPeerSSHEnabled(ctx, peer, policies, peerGroupIDs)
-	if err != nil {
-		return nil, nil, false, err
-	}
-
-	return network, postureChecks, enableSSH, nil
+	return network, postureChecks, true, nil
 }
 
-func isPeerSSHEnabled(ctx context.Context, peer *nbpeer.Peer, policies []*types.Policy, peerGroupIDs []string) (bool, error) {
-	groupIDsMap := make(map[string]struct{}, len(peerGroupIDs))
-	for _, peerID := range peerGroupIDs {
-		groupIDsMap[peerID] = struct{}{}
+func isPeerSSHEnabled(ctx context.Context, transaction store.Store, accountID string, peer *nbpeer.Peer) (bool, error) {
+	policies, err := transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return false, err
 	}
-	return types.PeerSSHEnabledFromPolicies(policies, peer.ID, groupIDsMap, peer.SSHEnabled), nil
+
+	peerGroups, err := transaction.GetPeerGroups(ctx, store.LockingStrengthNone, accountID, peer.ID)
+	if err != nil {
+		return false, err
+	}
+
+	peerGroupIDs := make(map[string]struct{}, len(peerGroups))
+	for _, g := range peerGroups {
+		peerGroupIDs[g.ID] = struct{}{}
+	}
+
+	return types.PeerSSHEnabledFromPolicies(policies, peer.ID, peerGroupIDs, peer.SSHEnabled), nil
 }
 
 // getPeerPostureChecks returns the posture checks for the peer.
-func getPeerPostureChecks(ctx context.Context, transaction store.Store, accountID string, peerGroupIDs []string, policies []*types.Policy) ([]*posture.Checks, error) {
+func getPeerPostureChecks(ctx context.Context, transaction store.Store, accountID, peerID string) ([]*posture.Checks, error) {
+	policies, err := transaction.GetAccountPolicies(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return nil, err
+	}
+
 	if len(policies) == 0 {
 		return nil, nil
 	}
@@ -1327,7 +1337,11 @@ func getPeerPostureChecks(ctx context.Context, transaction store.Store, accountI
 			continue
 		}
 
-		postureChecksIDs := processPeerPostureChecks(policy, peerGroupIDs)
+		postureChecksIDs, err := processPeerPostureChecks(ctx, transaction, policy, accountID, peerID)
+		if err != nil {
+			return nil, err
+		}
+
 		peerPostureChecksIDs = append(peerPostureChecksIDs, postureChecksIDs...)
 	}
 
@@ -1340,19 +1354,29 @@ func getPeerPostureChecks(ctx context.Context, transaction store.Store, accountI
 }
 
 // processPeerPostureChecks checks if the peer is in the source group of the policy and returns the posture checks.
-func processPeerPostureChecks(policy *types.Policy, peerGroupIDs []string) []string {
+func processPeerPostureChecks(ctx context.Context, transaction store.Store, policy *types.Policy, accountID, peerID string) ([]string, error) {
 	for _, rule := range policy.Rules {
 		if !rule.Enabled {
 			continue
 		}
 
+		sourceGroups, err := transaction.GetGroupsByIDs(ctx, store.LockingStrengthNone, accountID, rule.Sources)
+		if err != nil {
+			return nil, err
+		}
+
 		for _, sourceGroup := range rule.Sources {
-			if slices.Contains(peerGroupIDs, sourceGroup) {
-				return policy.SourcePostureChecks
+			group, ok := sourceGroups[sourceGroup]
+			if !ok {
+				return nil, fmt.Errorf("failed to check peer in policy source group")
+			}
+
+			if slices.Contains(group.Peers, peerID) {
+				return policy.SourcePostureChecks, nil
 			}
 		}
 	}
-	return nil
+	return nil, nil
 }
 
 // checkIFPeerNeedsLoginWithoutLock checks if the peer needs login without acquiring the account lock. The check validate if the peer was not added via SSO

management/server/peer/peer.go

@@ -1,11 +1,11 @@
 package peer
 
 import (
-	"context"
 	"fmt"
 	"net"
 	"net/netip"
 	"slices"
+	"sort"
 	"strings"
 	"time"
 
@@ -209,12 +209,12 @@ func (p *Peer) SupportsSourcePrefixes() bool {
 	return p.HasCapability(PeerCapabilitySourcePrefixes)
 }
 
-func capabilitiesEqual(a, b []int32) bool {
-	if len(a) != len(b) {
+func (a PeerSystemMeta) CapabilitiesEqual(b []int32) bool {
+	if len(a.Capabilities) != len(b) {
 		return false
 	}
-	set := make(map[int32]struct{}, len(a))
-	for _, c := range a {
+	set := make(map[int32]struct{}, len(a.Capabilities))
+	for _, c := range a.Capabilities {
 		set[c] = struct{}{}
 	}
 	for _, c := range b {
@@ -258,7 +258,7 @@ func (p *Peer) Copy() *Peer {
 
 // UpdateMetaIfNew updates peer's system metadata if new information is provided
 // returns true if meta was updated, false otherwise
-func (p *Peer) UpdateMetaIfNew(ctx context.Context, meta PeerSystemMeta) (updated, versionChanged bool) {
+func (p *Peer) UpdateMetaIfNew(meta PeerSystemMeta) (updated, versionChanged bool) {
 	if meta.isEmpty() {
 		return updated, versionChanged
 	}
@@ -283,9 +283,9 @@ func (p *Peer) UpdateMetaIfNew(ctx context.Context, meta PeerSystemMeta) (update
 		versionInfo = fmt.Sprintf("version changed: %s -> %s, ", oldVersion, meta.WtVersion)
 	}
 
-	if len(diff) > 0 || versionChanged {
-		log.WithContext(ctx).
-			Debugf("peer meta updated, %s%d field(s) changed: %s", versionInfo, len(diff), strings.Join(diff, ", "))
+	if versionChanged || updated {
+		log.WithFields(log.Fields{"peer": p.ID, "key": p.Key}).
+			Infof("peer meta updated, %s%d field(s) changed: %s", versionInfo, len(diff), strings.Join(diff, ", "))
 	}
 
 	return updated, versionChanged
@@ -296,95 +296,87 @@ func (p *Peer) UpdateMetaIfNew(ctx context.Context, meta PeerSystemMeta) (update
 // source of truth for meta comparison: isEqual reports equality as an empty
 // diff, so the log line can never disagree with the change decision. Slices are
 // cloned before sorting, so callers' meta is not mutated.
-func metaDiff(oldMeta, newMeta PeerSystemMeta) []string {
+func metaDiff(old, new PeerSystemMeta) []string {
 	var diff []string
 	add := func(field string, oldVal, newVal any) {
 		diff = append(diff, fmt.Sprintf("%s: %v -> %v", field, oldVal, newVal))
 	}
 
-	if oldMeta.Hostname != newMeta.Hostname {
-		add("hostname", oldMeta.Hostname, newMeta.Hostname)
+	if old.Hostname != new.Hostname {
+		add("hostname", old.Hostname, new.Hostname)
 	}
-	if oldMeta.GoOS != newMeta.GoOS {
-		add("goos", oldMeta.GoOS, newMeta.GoOS)
+	if old.GoOS != new.GoOS {
+		add("goos", old.GoOS, new.GoOS)
 	}
-	if oldMeta.Kernel != newMeta.Kernel {
-		add("kernel", oldMeta.Kernel, newMeta.Kernel)
+	if old.Kernel != new.Kernel {
+		add("kernel", old.Kernel, new.Kernel)
 	}
-	if oldMeta.KernelVersion != newMeta.KernelVersion {
-		add("kernel_version", oldMeta.KernelVersion, newMeta.KernelVersion)
+	if old.KernelVersion != new.KernelVersion {
+		add("kernel_version", old.KernelVersion, new.KernelVersion)
 	}
-	if oldMeta.Core != newMeta.Core {
-		add("core", oldMeta.Core, newMeta.Core)
+	if old.Core != new.Core {
+		add("core", old.Core, new.Core)
 	}
-	if oldMeta.Platform != newMeta.Platform {
-		add("platform", oldMeta.Platform, newMeta.Platform)
+	if old.Platform != new.Platform {
+		add("platform", old.Platform, new.Platform)
 	}
-	if oldMeta.OS != newMeta.OS {
-		add("os", oldMeta.OS, newMeta.OS)
+	if old.OS != new.OS {
+		add("os", old.OS, new.OS)
 	}
-	if oldMeta.OSVersion != newMeta.OSVersion {
-		add("os_version", oldMeta.OSVersion, newMeta.OSVersion)
+	if old.OSVersion != new.OSVersion {
+		add("os_version", old.OSVersion, new.OSVersion)
 	}
-	if oldMeta.WtVersion != newMeta.WtVersion {
-		add("wt_version", oldMeta.WtVersion, newMeta.WtVersion)
+	if old.WtVersion != new.WtVersion {
+		add("wt_version", old.WtVersion, new.WtVersion)
 	}
-	if oldMeta.UIVersion != newMeta.UIVersion {
-		add("ui_version", oldMeta.UIVersion, newMeta.UIVersion)
+	if old.UIVersion != new.UIVersion {
+		add("ui_version", old.UIVersion, new.UIVersion)
 	}
-	if oldMeta.SystemSerialNumber != newMeta.SystemSerialNumber {
-		add("system_serial_number", oldMeta.SystemSerialNumber, newMeta.SystemSerialNumber)
+	if old.SystemSerialNumber != new.SystemSerialNumber {
+		add("system_serial_number", old.SystemSerialNumber, new.SystemSerialNumber)
 	}
-	if oldMeta.SystemProductName != newMeta.SystemProductName {
-		add("system_product_name", oldMeta.SystemProductName, newMeta.SystemProductName)
+	if old.SystemProductName != new.SystemProductName {
+		add("system_product_name", old.SystemProductName, new.SystemProductName)
 	}
-	if oldMeta.SystemManufacturer != newMeta.SystemManufacturer {
-		add("system_manufacturer", oldMeta.SystemManufacturer, newMeta.SystemManufacturer)
+	if old.SystemManufacturer != new.SystemManufacturer {
+		add("system_manufacturer", old.SystemManufacturer, new.SystemManufacturer)
 	}
-	if oldMeta.Environment.Cloud != newMeta.Environment.Cloud {
-		add("environment_cloud", oldMeta.Environment.Cloud, newMeta.Environment.Cloud)
+	if old.Environment.Cloud != new.Environment.Cloud {
+		add("environment_cloud", old.Environment.Cloud, new.Environment.Cloud)
 	}
-	if oldMeta.Environment.Platform != newMeta.Environment.Platform {
-		add("environment_platform", oldMeta.Environment.Platform, newMeta.Environment.Platform)
+	if old.Environment.Platform != new.Environment.Platform {
+		add("environment_platform", old.Environment.Platform, new.Environment.Platform)
 	}
-	if !oldMeta.Flags.isEqual(newMeta.Flags) {
-		add("flags", fmt.Sprintf("%+v", oldMeta.Flags), fmt.Sprintf("%+v", newMeta.Flags))
+	if !old.Flags.isEqual(new.Flags) {
+		add("flags", fmt.Sprintf("%+v", old.Flags), fmt.Sprintf("%+v", new.Flags))
 	}
-	if !capabilitiesEqual(oldMeta.Capabilities, newMeta.Capabilities) {
-		add("capabilities", oldMeta.Capabilities, newMeta.Capabilities)
+	if !old.CapabilitiesEqual(new.Capabilities) {
+		add("capabilities", old.Capabilities, new.Capabilities)
 	}
 
-	if !sameMultiset(oldMeta.NetworkAddresses, newMeta.NetworkAddresses) {
-		add("network_addresses", fmt.Sprintf("%v", oldMeta.NetworkAddresses), fmt.Sprintf("%v", newMeta.NetworkAddresses))
+	oldAddrs := slices.Clone(old.NetworkAddresses)
+	newAddrs := slices.Clone(new.NetworkAddresses)
+	sort.Slice(oldAddrs, func(i, j int) bool { return oldAddrs[i].Mac < oldAddrs[j].Mac })
+	sort.Slice(newAddrs, func(i, j int) bool { return newAddrs[i].Mac < newAddrs[j].Mac })
+	if !slices.EqualFunc(oldAddrs, newAddrs, func(a, b NetworkAddress) bool {
+		return a.Mac == b.Mac && a.NetIP == b.NetIP
+	}) {
+		add("network_addresses", fmt.Sprintf("%v", oldAddrs), fmt.Sprintf("%v", newAddrs))
 	}
 
-	if !sameMultiset(oldMeta.Files, newMeta.Files) {
-		add("files", fmt.Sprintf("%v", oldMeta.Files), fmt.Sprintf("%v", newMeta.Files))
+	oldFiles := slices.Clone(old.Files)
+	newFiles := slices.Clone(new.Files)
+	sort.Slice(oldFiles, func(i, j int) bool { return oldFiles[i].Path < oldFiles[j].Path })
+	sort.Slice(newFiles, func(i, j int) bool { return newFiles[i].Path < newFiles[j].Path })
+	if !slices.EqualFunc(oldFiles, newFiles, func(a, b File) bool {
+		return a.Path == b.Path && a.Exist == b.Exist && a.ProcessIsRunning == b.ProcessIsRunning
+	}) {
+		add("files", fmt.Sprintf("%v", oldFiles), fmt.Sprintf("%v", newFiles))
 	}
 
 	return diff
 }
 
-// sameMultiset reports whether two slices contain the same elements with the
-// same multiplicity, ignoring order. The element type is the comparison key, so
-// every field participates in equality.
-func sameMultiset[T comparable](a, b []T) bool {
-	if len(a) != len(b) {
-		return false
-	}
-	counts := make(map[T]int, len(a))
-	for _, v := range a {
-		counts[v]++
-	}
-	for _, v := range b {
-		counts[v]--
-		if counts[v] == 0 {
-			delete(counts, v)
-		}
-	}
-	return len(counts) == 0
-}
-
 // GetLastLogin returns the last login time of the peer.
 func (p *Peer) GetLastLogin() time.Time {
 	if p.LastLogin != nil {

management/server/peer/peer_metadiff_test.go

@@ -1,113 +0,0 @@
-package peer
-
-import (
-	"net/netip"
-	"reflect"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-// metaDiffExtraEntries accounts for PeerSystemMeta fields that metaDiff does not
-// map 1:1 to a single diff entry. Today the only such field is Environment, which
-// is exploded into two checks (Cloud, Platform) and therefore yields one extra
-// entry beyond its single struct field. If you teach metaDiff to explode another
-// field into N entries, bump this by N-1; if you collapse a field, lower it.
-const metaDiffExtraEntries = 1
-
-// TestMetaDiff_CoversAllFields fully populates a PeerSystemMeta with non-zero
-// values and diffs it against the zero value, then asserts metaDiff emits exactly
-// one entry per exported field (plus metaDiffExtraEntries for fields it explodes).
-//
-// The expected count is derived from the struct via reflection, so adding a field
-// to PeerSystemMeta raises the expectation automatically — but the actual diff
-// only grows if metaDiff was taught to compare the new field. A mismatch means
-// someone changed the struct without updating metaDiff (or this test's
-// extra-entry accounting), which is exactly what we want to catch.
-func TestMetaDiff_CoversAllFields(t *testing.T) {
-	var full PeerSystemMeta
-	exported := populateAll(t, reflect.ValueOf(&full).Elem())
-	require.NotZero(t, exported, "expected PeerSystemMeta to expose fields")
-
-	diff := metaDiff(PeerSystemMeta{}, full)
-
-	require.Len(t, diff, exported+metaDiffExtraEntries,
-		"metaDiff entry count no longer matches PeerSystemMeta's fields: a field was "+
-			"likely added or removed without updating metaDiff (or metaDiffExtraEntries). "+
-			"diff was: %v", diff)
-
-	require.False(t, full.isEqual(PeerSystemMeta{}),
-		"isEqual must report a fully-populated meta as different from the zero value")
-}
-
-// TestFlags_isEqualChecksEveryField guards the one field that the count-based
-// TestMetaDiff_CoversAllFields cannot: metaDiff collapses all of Flags into a
-// single "flags" diff entry, so a new Flags field that Flags.isEqual forgets to
-// compare would not change the diff count. This flips each Flags field on its own
-// and asserts Flags.isEqual notices, so adding a Flags field without comparing it
-// fails here.
-func TestFlags_isEqualChecksEveryField(t *testing.T) {
-	typ := reflect.TypeOf(Flags{})
-	for i := 0; i < typ.NumField(); i++ {
-		f := typ.Field(i)
-		require.Equal(t, reflect.Bool, f.Type.Kind(),
-			"Flags.%s is not a bool; extend this test to set it non-zero", f.Name)
-
-		var a, b Flags
-		reflect.ValueOf(&b).Elem().Field(i).SetBool(true)
-		require.False(t, a.isEqual(b), "Flags.isEqual ignores field %s", f.Name)
-	}
-}
-
-// populateAll sets every exported field of the struct to a deterministic non-zero
-// value, recursing into nested structs and the element type of struct slices so
-// that each leaf differs from zero. It returns the number of exported fields on
-// the top-level struct. netip.Prefix is treated as an opaque leaf (it has no
-// settable exported fields and is comparable with ==).
-func populateAll(t *testing.T, v reflect.Value) int {
-	t.Helper()
-
-	typ := v.Type()
-	exported := 0
-	for i := 0; i < typ.NumField(); i++ {
-		f := typ.Field(i)
-		if f.PkgPath != "" { // unexported
-			continue
-		}
-		exported++
-		setNonZero(t, v.Field(i))
-	}
-	return exported
-}
-
-// setNonZero assigns a deterministic non-zero value to a field based on its kind,
-// recursing into nested structs and populating one element of slice fields.
-func setNonZero(t *testing.T, field reflect.Value) {
-	t.Helper()
-
-	if field.Type() == reflect.TypeOf(netip.Prefix{}) {
-		field.Set(reflect.ValueOf(netip.MustParsePrefix("10.0.0.0/24")))
-		return
-	}
-
-	switch field.Kind() {
-	case reflect.String:
-		field.SetString("non-zero")
-	case reflect.Bool:
-		field.SetBool(true)
-	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
-		field.SetInt(7)
-	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
-		field.SetUint(7)
-	case reflect.Float32, reflect.Float64:
-		field.SetFloat(7)
-	case reflect.Struct:
-		populateAll(t, field)
-	case reflect.Slice:
-		s := reflect.MakeSlice(field.Type(), 1, 1)
-		setNonZero(t, s.Index(0))
-		field.Set(s)
-	default:
-		t.Fatalf("unhandled field kind %s; extend setNonZero", field.Kind())
-	}
-}

proxy/Dockerfile

@@ -7,8 +7,7 @@ RUN echo "netbird:x:1000:1000:netbird:/var/lib/netbird:/sbin/nologin" > /tmp/pas
     mkdir -p /tmp/certs
 
 FROM gcr.io/distroless/base:debug
-ARG TARGETPLATFORM
-COPY ${TARGETPLATFORM}/netbird-proxy /go/bin/netbird-proxy
+COPY netbird-proxy /go/bin/netbird-proxy
 COPY --from=builder /tmp/passwd /etc/passwd
 COPY --from=builder /tmp/group /etc/group
 COPY --from=builder --chown=1000:1000 /tmp/var/lib/netbird /var/lib/netbird

proxy/management_byop_integration_test.go

@@ -125,7 +125,6 @@ func setupBYOPIntegrationTest(t *testing.T) *byopTestSetup {
 		oidcConfig,
 		nil,
 		usersManager,
-		nil,
 		realProxyManager,
 		nil,
 	)

proxy/management_integration_test.go

@@ -140,7 +140,6 @@ func setupIntegrationTest(t *testing.T) *integrationTestSetup {
 		oidcConfig,
 		nil,
 		usersManager,
-		nil,
 		proxyManager,
 		nil,
 	)

relay/Dockerfile

@@ -1,5 +1,4 @@
 FROM gcr.io/distroless/base:debug
 ENTRYPOINT [ "/go/bin/netbird-relay" ]
 ENV NB_LOG_FILE=console
-ARG TARGETPLATFORM
-COPY ${TARGETPLATFORM}/netbird-relay /go/bin/netbird-relay
+COPY netbird-relay /go/bin/netbird-relay

release_files/freebsd-port-diff.sh

@@ -21,8 +21,7 @@ AWK_FIRST_FIELD='{print $1}'
 
 fetch_all_tags() {
     curl -sL "https://github.com/${GITHUB_REPO}/tags" 2>/dev/null | \
-        grep -oE '/releases/tag/v[0-9]+\.[0-9]+\.[0-9]+([^"]+)?' | \
-        grep -iv 'rc' | \
+        grep -oE '/releases/tag/v[0-9]+\.[0-9]+\.[0-9]+' | \
         sed 's/.*\/v//' | \
         sort -u -V
     return 0

release_files/freebsd-port-issue-body.sh

@@ -32,8 +32,7 @@ fetch_current_ports_version() {
 fetch_all_tags() {
     # Fetch tags from GitHub tags page (no rate limiting, no auth needed)
     curl -sL "https://github.com/${GITHUB_REPO}/tags" 2>/dev/null | \
-        grep -oE '/releases/tag/v[0-9]+\.[0-9]+\.[0-9]+([^"]+)?' | \
-        grep -iv 'rc' | \
+        grep -oE '/releases/tag/v[0-9]+\.[0-9]+\.[0-9]+' | \
         sed 's/.*\/v//' | \
         sort -u -V
     return 0

shared/signal/client/client.go

@@ -33,7 +33,7 @@ type Client interface {
 	Receive(ctx context.Context, msgHandler func(msg *proto.Message) error) error
 	Ready() bool
 	IsHealthy() bool
-	WaitStreamConnected(context.Context)
+	WaitStreamConnected()
 	SendToStream(msg *proto.EncryptedMessage) error
 	Send(msg *proto.Message) error
 	SetOnReconnectedListener(func())

shared/signal/client/client_test.go

@@ -65,10 +65,7 @@ var _ = Describe("GrpcClient", func() {
 						return
 					}
 				}()
-				ctxA, cancelA := context.WithTimeout(context.Background(), 5*time.Second)
-				defer cancelA()
-				clientA.WaitStreamConnected(ctxA)
-				Expect(clientA.StreamConnected()).To(BeTrue())
+				clientA.WaitStreamConnected()
 
 				// connect PeerB to Signal
 				keyB, _ := wgtypes.GenerateKey()
@@ -94,10 +91,7 @@ var _ = Describe("GrpcClient", func() {
 					}
 				}()
 
-				ctxB, cancelB := context.WithTimeout(context.Background(), 5*time.Second)
-				defer cancelB()
-				clientB.WaitStreamConnected(ctxB)
-				Expect(clientB.StreamConnected()).To(BeTrue())
+				clientB.WaitStreamConnected()
 
 				// PeerA initiates ping-pong
 				err := clientA.Send(&sigProto.Message{
@@ -135,10 +129,8 @@ var _ = Describe("GrpcClient", func() {
 						return
 					}
 				}()
-				ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-				defer cancel()
-				client.WaitStreamConnected(ctx)
-				Expect(client.StreamConnected()).To(BeTrue())
+				client.WaitStreamConnected()
+				Expect(client).NotTo(BeNil())
 			})
 		})
 

shared/signal/client/grpc.go

@@ -2,11 +2,9 @@ package client
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"io"
 	"sync"
-	"sync/atomic"
 	"time"
 
 	"github.com/cenkalti/backoff/v4"
@@ -25,23 +23,7 @@ import (
 	"github.com/netbirdio/netbird/util/wsproxy"
 )
 
-const (
-	// receiveInactivityThreshold is how long the receive stream may be silent
-	// before the watchdog actively probes it. The gRPC transport can stay
-	// healthy (keepalive satisfied) while the server stops delivering messages,
-	// which the transport layer cannot detect.
-	receiveInactivityThreshold = 30 * time.Second
-	// receiveProbeTimeout is how long the watchdog waits for its self-addressed
-	// probe to round-trip back on the stream before declaring the receive
-	// direction dead.
-	receiveProbeTimeout = 10 * time.Second
-	// receiveWatchdogInterval is how often the watchdog evaluates the stream.
-	receiveWatchdogInterval = 10 * time.Second
-)
-
-// errReceiveStreamStalled is reported when the receive stream is transport-alive
-// but no longer delivering messages, so the stream is torn down to reconnect.
-var errReceiveStreamStalled = errors.New("signal receive stream stalled")
+const healthCheckTimeout = 5 * time.Second
 
 // ConnStateNotifier is a wrapper interface of the status recorder
 type ConnStateNotifier interface {
@@ -70,14 +52,6 @@ type GrpcClient struct {
 	decryptionWorker       *Worker
 	decryptionWorkerCancel context.CancelFunc
 	decryptionWg           sync.WaitGroup
-
-	// lastReceived holds the Unix-nano timestamp of the last message read from
-	// the receive stream, used by the receive watchdog.
-	lastReceived atomic.Int64
-	// receiveStalled is set by the receive watchdog when the stream is
-	// transport-alive but no longer delivering messages. It is the source of
-	// truth IsHealthy reads, and is cleared once any frame is received again.
-	receiveStalled atomic.Bool
 }
 
 // NewClient creates a new Signal client
@@ -174,9 +148,9 @@ func (c *GrpcClient) Receive(ctx context.Context, msgHandler func(msg *proto.Mes
 
 		// connect to Signal stream identifying ourselves with a public WireGuard key
 		// todo once the key rotation logic has been implemented, consider changing to some other identifier (received from management)
-		streamCtx, cancelStream := context.WithCancel(ctx)
+		ctx, cancelStream := context.WithCancel(ctx)
 		defer cancelStream()
-		stream, err := c.connect(streamCtx, c.key.PublicKey().String())
+		stream, err := c.connect(ctx, c.key.PublicKey().String())
 		if err != nil {
 			log.Warnf("disconnected from the Signal Exchange due to an error: %v", err)
 			return err
@@ -190,16 +164,9 @@ func (c *GrpcClient) Receive(ctx context.Context, msgHandler func(msg *proto.Mes
 		// Start worker pool if not already started
 		c.startEncryptionWorker(msgHandler)
 
-		// Guard the receive direction: the transport can stay healthy while the
-		// server stops delivering messages. The watchdog reconnects via cancelStream.
-		c.markReceived()
-		go c.watchReceiveStream(streamCtx, cancelStream)
-
 		// start receiving messages from the Signal stream (from other peers through signal)
 		err = c.receive(stream)
 		if err != nil {
-			// Check the parent context, not streamCtx: a watchdog-triggered
-			// cancelStream must reconnect, only a parent cancel is shutdown.
 			if ctx.Err() != nil {
 				log.Debugf("signal connection context has been canceled, this usually indicates shutdown")
 				return nil
@@ -246,6 +213,15 @@ func (c *GrpcClient) notifyStreamConnected() {
 	}
 }
 
+func (c *GrpcClient) getStreamStatusChan() <-chan struct{} {
+	c.mux.Lock()
+	defer c.mux.Unlock()
+	if c.connectedCh == nil {
+		c.connectedCh = make(chan struct{})
+	}
+	return c.connectedCh
+}
+
 func (c *GrpcClient) connect(ctx context.Context, key string) (proto.SignalExchange_ConnectStreamClient, error) {
 	c.stream = nil
 
@@ -276,10 +252,7 @@ func (c *GrpcClient) Ready() bool {
 	return c.signalConn.GetState() == connectivity.Ready || c.signalConn.GetState() == connectivity.Idle
 }
 
-// IsHealthy reports whether the Signal connection is usable, based on the
-// transport state plus the receive watchdog's verdict, and updates the status
-// recorder accordingly. It does not actively probe: the watchdog
-// (watchReceiveStream) owns probing the receive path and reconnecting.
+// IsHealthy probes the gRPC connection and returns false on errors
 func (c *GrpcClient) IsHealthy() bool {
 	switch c.signalConn.GetState() {
 	case connectivity.TransientFailure:
@@ -292,8 +265,16 @@ func (c *GrpcClient) IsHealthy() bool {
 	case connectivity.Ready:
 	}
 
-	if c.receiveStalled.Load() {
-		c.notifyDisconnected(errReceiveStreamStalled)
+	ctx, cancel := context.WithTimeout(c.ctx, healthCheckTimeout)
+	defer cancel()
+	_, err := c.realClient.Send(ctx, &proto.EncryptedMessage{
+		Key:       c.key.PublicKey().String(),
+		RemoteKey: "dummy",
+		Body:      nil,
+	})
+	if err != nil {
+		c.notifyDisconnected(err)
+		log.Warnf("health check returned: %s", err)
 		return false
 	}
 	c.notifyConnected()
@@ -301,24 +282,14 @@ func (c *GrpcClient) IsHealthy() bool {
 }
 
 // WaitStreamConnected waits until the client is connected to the Signal stream
-func (c *GrpcClient) WaitStreamConnected(ctx context.Context) {
-	// Check the status and obtain the wait channel atomically: otherwise
-	// notifyStreamConnected could flip the status and close/clear the channel
-	// between the check and the channel creation, leaving us waiting forever on
-	// a stale channel.
-	c.mux.Lock()
+func (c *GrpcClient) WaitStreamConnected() {
+
 	if c.status == StreamConnected {
-		c.mux.Unlock()
 		return
 	}
-	if c.connectedCh == nil {
-		c.connectedCh = make(chan struct{})
-	}
-	ch := c.connectedCh
-	c.mux.Unlock()
 
+	ch := c.getStreamStatusChan()
 	select {
-	case <-ctx.Done():
 	case <-c.ctx.Done():
 	case <-ch:
 	}
@@ -427,68 +398,6 @@ func (c *GrpcClient) Send(msg *proto.Message) error {
 	return err
 }
 
-// markReceived records that a frame was just read from the receive stream and
-// clears the stalled flag.
-func (c *GrpcClient) markReceived() {
-	c.lastReceived.Store(time.Now().UnixNano())
-	c.receiveStalled.Store(false)
-}
-
-// idleSinceReceive returns how long the receive stream has been silent.
-func (c *GrpcClient) idleSinceReceive() time.Duration {
-	return time.Since(time.Unix(0, c.lastReceived.Load()))
-}
-
-// watchReceiveStream guards against a receive stream that is transport-alive but
-// no longer delivering messages. While the stream is idle past
-// receiveInactivityThreshold it sends a self-addressed probe that the Signal
-// server routes back to this client. If the probe does not round-trip within
-// receiveProbeTimeout the receive direction is considered dead and cancelStream
-// is called so the retry loop reconnects.
-func (c *GrpcClient) watchReceiveStream(ctx context.Context, cancelStream context.CancelFunc) {
-	ticker := time.NewTicker(receiveWatchdogInterval)
-	defer ticker.Stop()
-
-	var probeSentAt time.Time
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-ticker.C:
-			if c.idleSinceReceive() < receiveInactivityThreshold {
-				probeSentAt = time.Time{}
-				continue
-			}
-
-			if !probeSentAt.IsZero() && time.Since(probeSentAt) >= receiveProbeTimeout {
-				log.Warnf("signal receive stream stalled: no messages for %s and probe did not return, reconnecting", c.idleSinceReceive().Round(time.Second))
-				c.receiveStalled.Store(true)
-				c.notifyDisconnected(errReceiveStreamStalled)
-				cancelStream()
-				return
-			}
-
-			if probeSentAt.IsZero() {
-				if err := c.sendReceiveProbe(); err != nil {
-					log.Debugf("failed to send signal receive probe: %v", err)
-				}
-				probeSentAt = time.Now()
-			}
-		}
-	}
-}
-
-// sendReceiveProbe sends a self-addressed heartbeat. The Signal server routes it
-// back to this client, exercising the exact receive path the watchdog guards.
-func (c *GrpcClient) sendReceiveProbe() error {
-	self := c.key.PublicKey().String()
-	return c.Send(&proto.Message{
-		Key:       self,
-		RemoteKey: self,
-		Body:      &proto.Body{Type: proto.Body_HEARTBEAT},
-	})
-}
-
 // receive receives messages from other peers coming through the Signal Exchange
 // and distributes them to worker threads for processing
 func (c *GrpcClient) receive(stream proto.SignalExchange_ConnectStreamClient) error {
@@ -510,9 +419,6 @@ func (c *GrpcClient) receive(stream proto.SignalExchange_ConnectStreamClient) er
 			return err
 		}
 
-		// Any frame from the server proves the receive direction is alive.
-		c.markReceived()
-
 		if msg == nil {
 			continue
 		}

shared/signal/client/mock.go

@@ -55,7 +55,7 @@ func (sm *MockClient) Ready() bool {
 	return sm.ReadyFunc()
 }
 
-func (sm *MockClient) WaitStreamConnected(context.Context) {
+func (sm *MockClient) WaitStreamConnected() {
 	if sm.WaitStreamConnectedFunc == nil {
 		return
 	}

shared/signal/client/watchdog_test.go

@@ -1,84 +0,0 @@
-package client
-
-import (
-	"context"
-	"net"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-	"go.opentelemetry.io/otel"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"google.golang.org/grpc"
-
-	sigProto "github.com/netbirdio/netbird/shared/signal/proto"
-	"github.com/netbirdio/netbird/signal/server"
-)
-
-func startTestSignalServer(t *testing.T) string {
-	t.Helper()
-
-	lis, err := net.Listen("tcp", "127.0.0.1:0")
-	require.NoError(t, err)
-
-	s := grpc.NewServer()
-	srv, err := server.NewServer(context.Background(), otel.Meter(""))
-	require.NoError(t, err)
-	sigProto.RegisterSignalExchangeServer(s, srv)
-
-	go func() {
-		_ = s.Serve(lis)
-	}()
-	t.Cleanup(s.Stop)
-
-	return lis.Addr().String()
-}
-
-// TestReceiveProbeRoundTrips verifies that the watchdog's self-addressed heartbeat
-// is routed back to the same client through the signal server. This round-trip is
-// what lets the watchdog confirm the receive direction is still delivering.
-func TestReceiveProbeRoundTrips(t *testing.T) {
-	addr := startTestSignalServer(t)
-
-	key, err := wgtypes.GenerateKey()
-	require.NoError(t, err)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	t.Cleanup(cancel)
-
-	client, err := NewClient(ctx, addr, key, false)
-	require.NoError(t, err)
-	t.Cleanup(func() { _ = client.Close() })
-
-	received := make(chan struct{}, 1)
-	go func() {
-		_ = client.Receive(ctx, func(msg *sigProto.Message) error {
-			if msg.GetBody().GetType() == sigProto.Body_HEARTBEAT && msg.GetKey() == key.PublicKey().String() {
-				select {
-				case received <- struct{}{}:
-				default:
-				}
-			}
-			return nil
-		})
-	}()
-
-	streamReady := make(chan struct{})
-	go func() {
-		client.WaitStreamConnected(ctx)
-		close(streamReady)
-	}()
-	select {
-	case <-streamReady:
-	case <-time.After(5 * time.Second):
-		t.Fatal("signal stream did not connect within timeout")
-	}
-
-	require.NoError(t, client.sendReceiveProbe())
-
-	select {
-	case <-received:
-	case <-time.After(3 * time.Second):
-		t.Fatal("self-addressed heartbeat did not round-trip back through the signal server")
-	}
-}

shared/signal/proto/signalexchange.pb.go

@@ -30,7 +30,6 @@ const (
 	Body_CANDIDATE Body_Type = 2
 	Body_MODE      Body_Type = 4
 	Body_GO_IDLE   Body_Type = 5
-	Body_HEARTBEAT Body_Type = 6
 )
 
 // Enum value maps for Body_Type.
@@ -41,7 +40,6 @@ var (
 		2: "CANDIDATE",
 		4: "MODE",
 		5: "GO_IDLE",
-		6: "HEARTBEAT",
 	}
 	Body_Type_value = map[string]int32{
 		"OFFER":     0,
@@ -49,7 +47,6 @@ var (
 		"CANDIDATE": 2,
 		"MODE":      4,
 		"GO_IDLE":   5,
-		"HEARTBEAT": 6,
 	}
 )
 
@@ -466,7 +463,7 @@ var file_signalexchange_proto_rawDesc = []byte{
 	0x52, 0x09, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x28, 0x0a, 0x04, 0x62,
 	0x6f, 0x64, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x73, 0x69, 0x67, 0x6e,
 	0x61, 0x6c, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x42, 0x6f, 0x64, 0x79, 0x52,
-	0x04, 0x62, 0x6f, 0x64, 0x79, 0x22, 0xd2, 0x04, 0x0a, 0x04, 0x42, 0x6f, 0x64, 0x79, 0x12, 0x2d,
+	0x04, 0x62, 0x6f, 0x64, 0x79, 0x22, 0xc3, 0x04, 0x0a, 0x04, 0x42, 0x6f, 0x64, 0x79, 0x12, 0x2d,
 	0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x19, 0x2e, 0x73,
 	0x69, 0x67, 0x6e, 0x61, 0x6c, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x42, 0x6f,
 	0x64, 0x79, 0x2e, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x18, 0x0a,
@@ -494,39 +491,38 @@ var file_signalexchange_proto_rawDesc = []byte{
 	0x52, 0x09, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x88, 0x01, 0x01, 0x12, 0x29,
 	0x0a, 0x0d, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x49, 0x50, 0x18,
 	0x0b, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x02, 0x52, 0x0d, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x53, 0x65,
-	0x72, 0x76, 0x65, 0x72, 0x49, 0x50, 0x88, 0x01, 0x01, 0x22, 0x52, 0x0a, 0x04, 0x54, 0x79, 0x70,
+	0x72, 0x76, 0x65, 0x72, 0x49, 0x50, 0x88, 0x01, 0x01, 0x22, 0x43, 0x0a, 0x04, 0x54, 0x79, 0x70,
 	0x65, 0x12, 0x09, 0x0a, 0x05, 0x4f, 0x46, 0x46, 0x45, 0x52, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06,
 	0x41, 0x4e, 0x53, 0x57, 0x45, 0x52, 0x10, 0x01, 0x12, 0x0d, 0x0a, 0x09, 0x43, 0x41, 0x4e, 0x44,
 	0x49, 0x44, 0x41, 0x54, 0x45, 0x10, 0x02, 0x12, 0x08, 0x0a, 0x04, 0x4d, 0x4f, 0x44, 0x45, 0x10,
-	0x04, 0x12, 0x0b, 0x0a, 0x07, 0x47, 0x4f, 0x5f, 0x49, 0x44, 0x4c, 0x45, 0x10, 0x05, 0x12, 0x0d,
-	0x0a, 0x09, 0x48, 0x45, 0x41, 0x52, 0x54, 0x42, 0x45, 0x41, 0x54, 0x10, 0x06, 0x42, 0x15, 0x0a,
-	0x13, 0x5f, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x64, 0x64,
-	0x72, 0x65, 0x73, 0x73, 0x42, 0x0c, 0x0a, 0x0a, 0x5f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e,
-	0x49, 0x64, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x53, 0x65, 0x72, 0x76,
-	0x65, 0x72, 0x49, 0x50, 0x4a, 0x04, 0x08, 0x09, 0x10, 0x0a, 0x22, 0x2e, 0x0a, 0x04, 0x4d, 0x6f,
-	0x64, 0x65, 0x12, 0x1b, 0x0a, 0x06, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x08, 0x48, 0x00, 0x52, 0x06, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x88, 0x01, 0x01, 0x42,
-	0x09, 0x0a, 0x07, 0x5f, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x22, 0x6d, 0x0a, 0x0f, 0x52, 0x6f,
-	0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x28, 0x0a,
-	0x0f, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73,
-	0x73, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x13, 0x72, 0x6f, 0x73, 0x65, 0x6e,
-	0x70, 0x61, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x13, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x53,
-	0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x32, 0xb9, 0x01, 0x0a, 0x0e, 0x53, 0x69,
-	0x67, 0x6e, 0x61, 0x6c, 0x45, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x4c, 0x0a, 0x04,
-	0x53, 0x65, 0x6e, 0x64, 0x12, 0x20, 0x2e, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x65, 0x78, 0x63,
-	0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x20, 0x2e, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x65,
-	0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
-	0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x59, 0x0a, 0x0d, 0x43, 0x6f,
-	0x6e, 0x6e, 0x65, 0x63, 0x74, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12, 0x20, 0x2e, 0x73, 0x69,
-	0x67, 0x6e, 0x61, 0x6c, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x45, 0x6e, 0x63,
-	0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x20, 0x2e,
-	0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x45,
-	0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22,
-	0x00, 0x28, 0x01, 0x30, 0x01, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x04, 0x12, 0x0b, 0x0a, 0x07, 0x47, 0x4f, 0x5f, 0x49, 0x44, 0x4c, 0x45, 0x10, 0x05, 0x42, 0x15,
+	0x0a, 0x13, 0x5f, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x64,
+	0x64, 0x72, 0x65, 0x73, 0x73, 0x42, 0x0c, 0x0a, 0x0a, 0x5f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f,
+	0x6e, 0x49, 0x64, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x53, 0x65, 0x72,
+	0x76, 0x65, 0x72, 0x49, 0x50, 0x4a, 0x04, 0x08, 0x09, 0x10, 0x0a, 0x22, 0x2e, 0x0a, 0x04, 0x4d,
+	0x6f, 0x64, 0x65, 0x12, 0x1b, 0x0a, 0x06, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x08, 0x48, 0x00, 0x52, 0x06, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x88, 0x01, 0x01,
+	0x42, 0x09, 0x0a, 0x07, 0x5f, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x22, 0x6d, 0x0a, 0x0f, 0x52,
+	0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x28,
+	0x0a, 0x0f, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x50, 0x75, 0x62, 0x4b, 0x65,
+	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61,
+	0x73, 0x73, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x13, 0x72, 0x6f, 0x73, 0x65,
+	0x6e, 0x70, 0x61, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x13, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73,
+	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x32, 0xb9, 0x01, 0x0a, 0x0e, 0x53,
+	0x69, 0x67, 0x6e, 0x61, 0x6c, 0x45, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x4c, 0x0a,
+	0x04, 0x53, 0x65, 0x6e, 0x64, 0x12, 0x20, 0x2e, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x65, 0x78,
+	0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64,
+	0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x20, 0x2e, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c,
+	0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
+	0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x59, 0x0a, 0x0d, 0x43,
+	0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12, 0x20, 0x2e, 0x73,
+	0x69, 0x67, 0x6e, 0x61, 0x6c, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x45, 0x6e,
+	0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x20,
+	0x2e, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e,
+	0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
+	0x22, 0x00, 0x28, 0x01, 0x30, 0x01, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (

shared/signal/proto/signalexchange.proto

@@ -48,7 +48,6 @@ message Body {
     CANDIDATE = 2;
     MODE = 4;
     GO_IDLE = 5;
-    HEARTBEAT = 6;
   }
   Type type = 1;
   string payload = 2;

signal/Dockerfile

@@ -1,5 +1,4 @@
 FROM gcr.io/distroless/base:debug
 ENTRYPOINT [ "/go/bin/netbird-signal","run" ]
 CMD ["--log-file", "console"]
-ARG TARGETPLATFORM
-COPY ${TARGETPLATFORM}/netbird-signal /go/bin/netbird-signal
+COPY netbird-signal /go/bin/netbird-signal

signal/peer/peer.go

@@ -26,10 +26,6 @@ type Peer struct {
 
 	// a gRpc connection stream to the Peer
 	Stream proto.SignalExchange_ConnectStreamServer
-	// sendMu serializes writes to Stream. gRPC forbids concurrent SendMsg on
-	// the same ServerStream, and a peer can be the target of many senders at
-	// once.
-	sendMu sync.Mutex
 
 	// registration time
 	RegisteredAt time.Time
@@ -37,13 +33,6 @@ type Peer struct {
 	Cancel context.CancelFunc
 }
 
-// Send writes a message to the peer's stream, serializing concurrent senders.
-func (p *Peer) Send(msg *proto.EncryptedMessage) error {
-	p.sendMu.Lock()
-	defer p.sendMu.Unlock()
-	return p.Stream.Send(msg)
-}
-
 // NewPeer creates a new instance of a connected Peer
 func NewPeer(id string, stream proto.SignalExchange_ConnectStreamServer, cancel context.CancelFunc) *Peer {
 	return &Peer{

signal/server/concurrent_send_test.go

@@ -1,67 +0,0 @@
-package server
-
-import (
-	"context"
-	"sync"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-	"go.opentelemetry.io/otel"
-
-	"github.com/netbirdio/netbird/shared/signal/proto"
-	"github.com/netbirdio/netbird/signal/peer"
-)
-
-// concurrencyCheckStream records the maximum number of Send calls in flight at
-// once. gRPC forbids concurrent SendMsg on the same ServerStream, so a correct
-// server must never have more than one in flight per peer.
-type concurrencyCheckStream struct {
-	proto.SignalExchange_ConnectStreamServer
-	ctx      context.Context
-	inflight atomic.Int32
-	maxSeen  atomic.Int32
-}
-
-func (s *concurrencyCheckStream) Send(*proto.EncryptedMessage) error {
-	n := s.inflight.Add(1)
-	for {
-		old := s.maxSeen.Load()
-		if n <= old || s.maxSeen.CompareAndSwap(old, n) {
-			break
-		}
-	}
-	// Widen the window so overlapping callers are reliably observed.
-	time.Sleep(time.Millisecond)
-	s.inflight.Add(-1)
-	return nil
-}
-
-func (s *concurrencyCheckStream) Context() context.Context { return s.ctx }
-
-// TestForwardMessageToPeerSerializesSend verifies that concurrent forwards to the
-// same peer never call Stream.Send concurrently, which would violate the gRPC
-// ServerStream contract.
-func TestForwardMessageToPeerSerializesSend(t *testing.T) {
-	s, err := NewServer(context.Background(), otel.Meter(""))
-	require.NoError(t, err)
-
-	const peerID = "peerX"
-	stream := &concurrencyCheckStream{ctx: context.Background()}
-	_, cancel := context.WithCancel(context.Background())
-	t.Cleanup(cancel)
-	require.NoError(t, s.registry.Register(peer.NewPeer(peerID, stream, cancel)))
-
-	var wg sync.WaitGroup
-	for i := 0; i < 50; i++ {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			s.forwardMessageToPeer(context.Background(), &proto.EncryptedMessage{Key: "sender", RemoteKey: peerID})
-		}()
-	}
-	wg.Wait()
-
-	require.Equal(t, int32(1), stream.maxSeen.Load(), "Stream.Send must never run concurrently on the same peer stream")
-}