Propagate EDE meta through race result on upstream short-circuit

# Conflicts:
#	client/internal/dns/upstream.go

.github/workflows/golang-test-darwin.yml

@@ -43,13 +43,5 @@ jobs:
         run: git --no-pager diff --exit-code
 
       - name: Test
-        # Exclude client/ui: its main.go uses //go:embed all:frontend/dist,
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
-        # which fails to compile until the frontend has been built. The Wails UI
-        # has no Go-side unit tests, and its release pipeline runs `pnpm build`
-        # before goreleaser.
-        # `go list -e` lets the listing succeed even though the embed fails to
-        # resolve; the grep then drops the broken package by path. Without -e,
-        # go list aborts with empty stdout and `go test` falls back to the repo
-        # root, which has no Go files.
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list -e ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui)
 

.github/workflows/golang-test-linux.yml

@@ -51,7 +51,7 @@ jobs:
 
       - name: Install dependencies
         if: steps.cache.outputs.cache-hit != 'true'
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libwebkit2gtk-4.1-dev libsoup-3.0-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
 
       - name: Install 32-bit libpcap
         if: steps.cache.outputs.cache-hit != 'true'
@@ -141,7 +141,7 @@ jobs:
             ${{ runner.os }}-gotest-cache-
 
       - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libwebkit2gtk-4.1-dev libsoup-3.0-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
 
       - name: Install 32-bit libpcap
         if: matrix.arch == '386'
@@ -154,15 +154,7 @@ jobs:
         run: git --no-pager diff --exit-code
 
       - name: Test
-        # Exclude client/ui: its main.go uses //go:embed all:frontend/dist,
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
-        # which fails to compile until the frontend has been built. The Wails UI
-        # has no Go-side unit tests, and its release pipeline runs `pnpm build`
-        # before goreleaser.
-        # `go list -e` lets the listing succeed even though the embed fails to
-        # resolve; the grep then drops the broken package by path. Without -e,
-        # go list aborts with empty stdout and `go test` falls back to the repo
-        # root, which has no Go files.
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list -e ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui)
 
   test_client_on_docker:
     name: "Client (Docker) / Unit"
@@ -222,7 +214,7 @@ jobs:
             sh -c ' \
               apk update; apk add --no-cache \
                 ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -e -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
+              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
             '
 
   test_relay:

.github/workflows/golang-test-windows.yml

@@ -64,15 +64,8 @@ jobs:
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
       - name: Generate test script
-        # Exclude client/ui: its main.go uses //go:embed all:frontend/dist,
-        # which fails to compile until the frontend has been built. The Wails UI
-        # has no Go-side unit tests, and its release pipeline runs `pnpm build`
-        # before goreleaser.
-        # `go list -e` lets the listing succeed even though the embed fails to
-        # resolve; the Where-Object pipeline then drops the broken package by
-        # path. Without -e, go list aborts with empty stdout.
         run: |
-          $packages = go list -e ./... | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' } | Where-Object { $_ -notmatch '/client/ui' }
+          $packages = go list ./... | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' }
           $goExe = "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe"
           $cmd = "$goExe test -tags=devcert -timeout 10m -p 1 $($packages -join ' ') > test-out.txt 2>&1"
           Set-Content -Path "${{ github.workspace }}\run-tests.cmd" -Value $cmd

.github/workflows/golangci-lint.yml

@@ -20,7 +20,7 @@ jobs:
         uses: codespell-project/actions-codespell@v2
         with:
           ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA,ede,additionals
-          skip: go.mod,go.sum,**/proxy/web/**,**/pnpm-lock.yaml,**/package-lock.json
+          skip: go.mod,go.sum,**/proxy/web/**
   golangci:
     strategy:
       fail-fast: false
@@ -50,16 +50,7 @@ jobs:
           cache: false
       - name: Install dependencies
         if: matrix.os == 'ubuntu-latest'
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libwebkit2gtk-4.1-dev libsoup-3.0-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
-      - name: Stub Wails frontend bundle
-        # client/ui/main.go has //go:embed all:frontend/dist. The
-        # directory is produced by `pnpm run build` and is gitignored, so
-        # lint-only runs (no frontend toolchain) need a placeholder file
-        # for the embed pattern to match.
-        shell: bash
-        run: |
-          mkdir -p client/ui/frontend/dist
-          touch client/ui/frontend/dist/.embed-placeholder
       - name: golangci-lint
         uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:

.github/workflows/release.yml

@@ -186,9 +186,9 @@ jobs:
       - name: Install goversioninfo
         run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
       - name: Generate windows syso amd64
-        run: goversioninfo  -icon client/ui/build/windows/icon.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_amd64.syso
+        run: goversioninfo  -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_amd64.syso
       - name: Generate windows syso arm64
-        run: goversioninfo -arm -64 -icon client/ui/build/windows/icon.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
+        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
       - name: Run GoReleaser
         id: goreleaser
         uses: goreleaser/goreleaser-action@v4
@@ -349,18 +349,8 @@ jobs:
       - name: check git status
         run: git --no-pager diff --exit-code
 
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-
-      - name: Set up pnpm
-        uses: pnpm/action-setup@v3
-        with:
-          version: 9
-
       - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libwebkit2gtk-4.1-dev libsoup-3.0-dev libayatana-appindicator3-dev gcc-mingw-w64-x86-64
+        run: sudo apt update && sudo apt install -y -q libappindicator3-dev gir1.2-appindicator3-0.1 libxxf86vm-dev gcc-mingw-w64-x86-64
 
       - name: Decode GPG signing key
         if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
@@ -380,9 +370,9 @@ jobs:
       - name: Install goversioninfo
         run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
       - name: Generate windows syso amd64
-        run: goversioninfo -64 -icon client/ui/build/windows/icon.ico -manifest client/ui/build/windows/wails.exe.manifest -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_amd64.syso
+        run: goversioninfo -64 -icon client/ui/assets/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_amd64.syso
       - name: Generate windows syso arm64
-        run: goversioninfo -arm -64 -icon client/ui/build/windows/icon.ico -manifest client/ui/build/windows/wails.exe.manifest -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_arm64.syso
+        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_arm64.syso
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v4
@@ -449,14 +439,6 @@ jobs:
         run: go mod tidy
       - name: check git status
         run: git --no-pager diff --exit-code
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-      - name: Set up pnpm
-        uses: pnpm/action-setup@v3
-        with:
-          version: 9
       - name: Run GoReleaser
         id: goreleaser
         uses: goreleaser/goreleaser-action@v4
@@ -546,6 +528,24 @@ jobs:
       - name: Move wintun.dll into dist
         run: mv ${{ env.downloadPath }}\wintun\bin\${{ matrix.wintun_arch }}\wintun.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\
 
+      - name: Download Mesa3D (amd64 only)
+        uses: carlosperate/download-file-action@v2
+        id: download-mesa3d
+        if: matrix.arch == 'amd64'
+        with:
+          file-url: https://downloads.fdossena.com/Projects/Mesa3D/Builds/MesaForWindows-x64-20.1.8.7z
+          file-name: mesa3d.7z
+          location: ${{ env.downloadPath }}
+          sha256: '71c7cb64ec229a1d6b8d62fa08e1889ed2bd17c0eeede8689daf0f25cb31d6b9'
+
+      - name: Extract Mesa3D driver (amd64 only)
+        if: matrix.arch == 'amd64'
+        run: 7z x -o"${{ env.downloadPath }}" "${{ env.downloadPath }}/mesa3d.7z"
+
+      - name: Move opengl32.dll into dist (amd64 only)
+        if: matrix.arch == 'amd64'
+        run: mv ${{ env.downloadPath }}\opengl32.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\
+
       - name: Download EnVar plugin for NSIS
         uses: carlosperate/download-file-action@v2
         with:

.golangci.yaml

@@ -114,16 +114,6 @@ linters:
       - linters:
           - staticcheck
         text: "QF1012"
-      # client/ui/main.go uses //go:embed all:frontend/dist; the
-      # directory is populated by `pnpm build` in the release pipeline
-      # and missing at lint time, so the embed parses to "no matching
-      # files found" — surfaced by golangci-lint's typecheck pre-pass.
-      # Suppress just that one diagnostic; the rest of the package
-      # (services/, tray.go, grpc.go, ...) still gets linted normally.
-      - linters:
-          - typecheck
-        path: client/ui/main\.go
-        text: "pattern all:frontend/dist"
     paths:
       - third_party$
       - builtin$

.goreleaser_ui.yaml

@@ -1,11 +1,6 @@
 version: 2
 
 project_name: netbird-ui
-
-before:
-  hooks:
-    - sh -c 'cd client/ui/frontend && pnpm install --frozen-lockfile && pnpm build'
-
 builds:
   - id: netbird-ui
     dir: client/ui
@@ -75,15 +70,12 @@ nfpms:
     scripts:
       postinstall: "release_files/ui-post-install.sh"
     contents:
-      - src: client/ui/build/linux/netbird.desktop
+      - src: client/ui/build/netbird.desktop
         dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/build/appicon.png
+      - src: client/ui/assets/netbird.png
         dst: /usr/share/pixmaps/netbird.png
     dependencies:
       - netbird
-      - libgtk-3-0
-      - libwebkit2gtk-4.1-0
-      - libayatana-appindicator3-1
 
   - maintainer: Netbird <dev@netbird.io>
     description: Netbird client UI.
@@ -97,15 +89,12 @@ nfpms:
     scripts:
       postinstall: "release_files/ui-post-install.sh"
     contents:
-      - src: client/ui/build/linux/netbird.desktop
+      - src: client/ui/build/netbird.desktop
         dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/build/appicon.png
+      - src: client/ui/assets/netbird.png
         dst: /usr/share/pixmaps/netbird.png
     dependencies:
       - netbird
-      - gtk3
-      - webkit2gtk4.1
-      - libayatana-appindicator-gtk3
     rpm:
       signature:
         key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'

.goreleaser_ui_darwin.yaml

@@ -1,11 +1,6 @@
 version: 2
 
 project_name: netbird-ui
-
-before:
-  hooks:
-    - sh -c 'cd client/ui/frontend && pnpm install --frozen-lockfile && pnpm build'
-
 builds:
   - id: netbird-ui-darwin
     dir: client/ui
@@ -25,6 +20,8 @@ builds:
     ldflags:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
+    tags:
+      - load_wgnt_from_rsrc
 
 universal_binaries:
   - id: netbird-ui-darwin

client/installer.nsis

@@ -6,7 +6,7 @@
 !define DESCRIPTION "Connect your devices into a secure WireGuard-based overlay network with SSO, MFA, and granular access controls."
 !define INSTALLER_NAME "netbird-installer.exe"
 !define MAIN_APP_EXE "Netbird"
-!define ICON "ui\\build\\windows\\icon.ico"
+!define ICON "ui\\assets\\netbird.ico"
 !define BANNER "ui\\build\\banner.bmp"
 !define LICENSE_DATA "..\\LICENSE"
 
@@ -280,43 +280,6 @@ CreateShortCut "$SMPROGRAMS\${APP_NAME}.lnk" "$INSTDIR\${UI_APP_EXE}"
 CreateShortCut "$DESKTOP\${APP_NAME}.lnk" "$INSTDIR\${UI_APP_EXE}"
 SectionEnd
 
-# Install the Microsoft Edge WebView2 runtime if it isn't already present.
-# Macro adapted from Wails3's NSIS template (wails_tools.nsh): a registry
-# probe followed by a silent install of the embedded evergreen bootstrapper.
-# The MicrosoftEdgeWebview2Setup.exe payload is staged next to this script
-# by the sign-pipelines build step (`wails3 generate webview2bootstrapper`).
-!macro nb.webview2runtime
-    SetRegView 64
-    # Per-machine install marker — populated when the runtime ships with
-    # Edge or has been installed by an admin previously.
-    ReadRegStr $0 HKLM "SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\Clients\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}" "pv"
-    ${If} $0 != ""
-        Goto webview2_ok
-    ${EndIf}
-    # Per-user fallback for HKCU installs.
-    ReadRegStr $0 HKCU "Software\Microsoft\EdgeUpdate\Clients\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}" "pv"
-    ${If} $0 != ""
-        Goto webview2_ok
-    ${EndIf}
-
-    SetDetailsPrint both
-    DetailPrint "Installing: WebView2 Runtime"
-    SetDetailsPrint listonly
-
-    InitPluginsDir
-    CreateDirectory "$pluginsdir\webview2bootstrapper"
-    SetOutPath "$pluginsdir\webview2bootstrapper"
-    File "MicrosoftEdgeWebview2Setup.exe"
-    ExecWait '"$pluginsdir\webview2bootstrapper\MicrosoftEdgeWebview2Setup.exe" /silent /install'
-
-    SetDetailsPrint both
-    webview2_ok:
-!macroend
-
-Section -WebView2
-    !insertmacro nb.webview2runtime
-SectionEnd
-
 Section -Post
 ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service install'
 ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service start'
@@ -363,9 +326,9 @@ DetailPrint "Deleting application files..."
 Delete "$INSTDIR\${UI_APP_EXE}"
 Delete "$INSTDIR\${MAIN_APP_EXE}"
 Delete "$INSTDIR\wintun.dll"
-# Legacy: pre-Wails installs shipped opengl32.dll (Mesa3D for Fyne); remove
+!if ${ARCH} == "amd64"
-# any leftover copy on uninstall so old upgrades don't leave it behind.
 Delete "$INSTDIR\opengl32.dll"
+!endif
 DetailPrint "Removing application directory..."
 RmDir /r "$INSTDIR"
 

client/internal/connect.go

@@ -116,7 +116,6 @@ func (c *ConnectClient) RunOniOS(
 	fileDescriptor int32,
 	networkChangeListener listener.NetworkChangeListener,
 	dnsManager dns.IosDnsManager,
-	dnsAddresses []netip.AddrPort,
 	stateFilePath string,
 ) error {
 	// Set GC percent to 5% to reduce memory usage as iOS only allows 50MB of memory for the extension.
@@ -126,7 +125,6 @@ func (c *ConnectClient) RunOniOS(
 		FileDescriptor:        fileDescriptor,
 		NetworkChangeListener: networkChangeListener,
 		DnsManager:            dnsManager,
-		HostDNSAddresses:      dnsAddresses,
 		StateFilePath:         stateFilePath,
 	}
 	return c.run(mobileDependency, nil, "")
@@ -258,15 +256,6 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		log.Debugf("connecting to the Management service %s", c.config.ManagementURL.Host)
 		mgmClient, err := mgm.NewClient(engineCtx, c.config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
 		if err != nil {
-			// On daemon shutdown / Down() the parent context is cancelled
-			// and the dial fails with "context canceled". Wrapping that
-			// into state would leave the snapshot stuck at Connecting+err
-			// until the backoff loop wakes up — instead let the operation
-			// return cleanly so the deferred state.Set(StatusIdle) takes
-			// effect on the next iteration.
-			if c.ctx.Err() != nil {
-				return nil
-			}
 			return wrapErr(gstatus.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err))
 		}
 		mgmNotifier := statusRecorderToMgmConnStateNotifier(c.statusRecorder)
@@ -435,11 +424,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 	}
 
 	c.statusRecorder.ClientStart()
-	// Wrap the backoff with c.ctx so Down()/actCancel propagates into the
+	err = backoff.Retry(operation, backOff)
-	// inter-attempt sleep — otherwise a 15s MaxInterval can keep the retry
-	// loop alive long after the caller asked to give up, leaving the
-	// status stream stuck at Connecting.
-	err = backoff.Retry(operation, backoff.WithContext(backOff, c.ctx))
 	if err != nil {
 		log.Debugf("exiting client retry loop due to unrecoverable error: %s", err)
 		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.PermissionDenied) {

client/internal/dns/host.go

@@ -16,6 +16,10 @@ type hostManager interface {
 	restoreHostDNS() error
 	supportCustomPort() bool
 	string() string
+	// getOriginalNameservers returns the OS-side resolvers used as PriorityFallback
+	// upstreams: pre-takeover snapshots on desktop, the OS-pushed list on Android,
+	// hardcoded Quad9 on iOS, nil for noop / mock.
+	getOriginalNameservers() []netip.Addr
 }
 
 type SystemDNSSettings struct {
@@ -131,3 +135,11 @@ func (n noopHostConfigurator) supportCustomPort() bool {
 func (n noopHostConfigurator) string() string {
 	return "noop"
 }
+
+func (n noopHostConfigurator) getOriginalNameservers() []netip.Addr {
+	return nil
+}
+
+func (m *mockHostConfigurator) getOriginalNameservers() []netip.Addr {
+	return nil
+}

client/internal/dns/host_android.go

@@ -1,14 +1,20 @@
 package dns
 
 import (
+	"net/netip"
+
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
+// androidHostManager is a noop on the OS side (Android's VPN service handles
+// DNS for us) but tracks the OS-reported resolver list pushed via
+// OnUpdatedHostDNSServer so it can serve as the fallback nameserver source.
 type androidHostManager struct {
+	holder *hostsDNSHolder
 }
 
-func newHostManager() (*androidHostManager, error) {
+func newHostManager(holder *hostsDNSHolder) (*androidHostManager, error) {
-	return &androidHostManager{}, nil
+	return &androidHostManager{holder: holder}, nil
 }
 
 func (a androidHostManager) applyDNSConfig(HostDNSConfig, *statemanager.Manager) error {
@@ -26,3 +32,12 @@ func (a androidHostManager) supportCustomPort() bool {
 func (a androidHostManager) string() string {
 	return "none"
 }
+
+func (a androidHostManager) getOriginalNameservers() []netip.Addr {
+	hosts := a.holder.get()
+	out := make([]netip.Addr, 0, len(hosts))
+	for ap := range hosts {
+		out = append(out, ap.Addr())
+	}
+	return out
+}

client/internal/dns/host_ios.go

@@ -3,6 +3,7 @@ package dns
 import (
 	"encoding/json"
 	"fmt"
+	"net/netip"
 
 	log "github.com/sirupsen/logrus"
 
@@ -20,6 +21,14 @@ func newHostManager(dnsManager IosDnsManager) (*iosHostManager, error) {
 	}, nil
 }
 
+func (a iosHostManager) getOriginalNameservers() []netip.Addr {
+	// Quad9 v4+v6: 9.9.9.9, 2620:fe::fe.
+	return []netip.Addr{
+		netip.AddrFrom4([4]byte{9, 9, 9, 9}),
+		netip.AddrFrom16([16]byte{0x26, 0x20, 0x00, 0xfe, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xfe}),
+	}
+}
+
 func (a iosHostManager) applyDNSConfig(config HostDNSConfig, _ *statemanager.Manager) error {
 	jsonData, err := json.Marshal(config)
 	if err != nil {

client/internal/dns/host_windows.go

@@ -7,6 +7,7 @@ import (
 	"io"
 	"net/netip"
 	"os/exec"
+	"slices"
 	"strings"
 	"syscall"
 	"time"
@@ -44,9 +45,11 @@ const (
 
 	nrptMaxDomainsPerRule = 50
 
-	interfaceConfigPath          = `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
+	interfaceConfigPath           = `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
-	interfaceConfigNameServerKey = "NameServer"
+	interfaceConfigPathV6         = `SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces`
-	interfaceConfigSearchListKey = "SearchList"
+	interfaceConfigNameServerKey  = "NameServer"
+	interfaceConfigDhcpNameSrvKey = "DhcpNameServer"
+	interfaceConfigSearchListKey  = "SearchList"
 
 	// Network interface DNS registration settings
 	disableDynamicUpdateKey           = "DisableDynamicUpdate"
@@ -67,10 +70,11 @@ const (
 )
 
 type registryConfigurator struct {
-	guid           string
+	guid            string
-	routingAll     bool
+	routingAll      bool
-	gpo            bool
+	gpo             bool
-	nrptEntryCount int
+	nrptEntryCount  int
+	origNameservers []netip.Addr
 }
 
 func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
@@ -94,6 +98,17 @@ func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
 		gpo:  useGPO,
 	}
 
+	origNameservers, err := configurator.captureOriginalNameservers()
+	switch {
+	case err != nil:
+		log.Warnf("capture original nameservers from non-WG adapters: %v", err)
+	case len(origNameservers) == 0:
+		log.Warnf("no original nameservers captured from non-WG adapters; DNS fallback will be empty")
+	default:
+		log.Debugf("captured %d original nameservers from non-WG adapters: %v", len(origNameservers), origNameservers)
+	}
+	configurator.origNameservers = origNameservers
+
 	if err := configurator.configureInterface(); err != nil {
 		log.Errorf("failed to configure interface settings: %v", err)
 	}
@@ -101,6 +116,98 @@ func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
 	return configurator, nil
 }
 
+// captureOriginalNameservers reads DNS addresses from every Tcpip(6) interface
+// registry key except the WG adapter. v4 and v6 servers live in separate
+// hives (Tcpip vs Tcpip6) keyed by the same interface GUID.
+func (r *registryConfigurator) captureOriginalNameservers() ([]netip.Addr, error) {
+	seen := make(map[netip.Addr]struct{})
+	var out []netip.Addr
+	var merr *multierror.Error
+	for _, root := range []string{interfaceConfigPath, interfaceConfigPathV6} {
+		addrs, err := r.captureFromTcpipRoot(root)
+		if err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("%s: %w", root, err))
+			continue
+		}
+		for _, addr := range addrs {
+			if _, dup := seen[addr]; dup {
+				continue
+			}
+			seen[addr] = struct{}{}
+			out = append(out, addr)
+		}
+	}
+	return out, nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *registryConfigurator) captureFromTcpipRoot(rootPath string) ([]netip.Addr, error) {
+	root, err := registry.OpenKey(registry.LOCAL_MACHINE, rootPath, registry.READ)
+	if err != nil {
+		return nil, fmt.Errorf("open key: %w", err)
+	}
+	defer closer(root)
+
+	guids, err := root.ReadSubKeyNames(-1)
+	if err != nil {
+		return nil, fmt.Errorf("read subkeys: %w", err)
+	}
+
+	var out []netip.Addr
+	for _, guid := range guids {
+		if strings.EqualFold(guid, r.guid) {
+			continue
+		}
+		out = append(out, readInterfaceNameservers(rootPath, guid)...)
+	}
+	return out, nil
+}
+
+func readInterfaceNameservers(rootPath, guid string) []netip.Addr {
+	keyPath := rootPath + "\\" + guid
+	k, err := registry.OpenKey(registry.LOCAL_MACHINE, keyPath, registry.QUERY_VALUE)
+	if err != nil {
+		return nil
+	}
+	defer closer(k)
+
+	// Static NameServer wins over DhcpNameServer for actual resolution.
+	for _, name := range []string{interfaceConfigNameServerKey, interfaceConfigDhcpNameSrvKey} {
+		raw, _, err := k.GetStringValue(name)
+		if err != nil || raw == "" {
+			continue
+		}
+		if out := parseRegistryNameservers(raw); len(out) > 0 {
+			return out
+		}
+	}
+	return nil
+}
+
+func parseRegistryNameservers(raw string) []netip.Addr {
+	var out []netip.Addr
+	for _, field := range strings.FieldsFunc(raw, func(r rune) bool { return r == ',' || r == ' ' || r == '\t' }) {
+		addr, err := netip.ParseAddr(strings.TrimSpace(field))
+		if err != nil {
+			continue
+		}
+		addr = addr.Unmap()
+		if !addr.IsValid() || addr.IsUnspecified() {
+			continue
+		}
+		// Drop unzoned link-local: not routable without a scope id. If
+		// the user wrote "fe80::1%eth0" ParseAddr preserves the zone.
+		if addr.IsLinkLocalUnicast() && addr.Zone() == "" {
+			continue
+		}
+		out = append(out, addr)
+	}
+	return out
+}
+
+func (r *registryConfigurator) getOriginalNameservers() []netip.Addr {
+	return slices.Clone(r.origNameservers)
+}
+
 func (r *registryConfigurator) supportCustomPort() bool {
 	return false
 }

client/internal/dns/hosts_dns_holder.go

@@ -25,6 +25,7 @@ func (h *hostsDNSHolder) set(list []netip.AddrPort) {
 	h.mutex.Unlock()
 }
 
+//nolint:unused
 func (h *hostsDNSHolder) get() map[netip.AddrPort]struct{} {
 	h.mutex.RLock()
 	l := h.unprotectedDNSList

client/internal/dns/local/local.go

@@ -76,8 +76,6 @@ func (d *Resolver) ID() types.HandlerID {
 	return "local-resolver"
 }
 
-func (d *Resolver) ProbeAvailability(context.Context) {}
-
 // ServeDNS handles a DNS request
 func (d *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	logger := log.WithFields(log.Fields{

client/internal/dns/mock_server.go

@@ -9,6 +9,7 @@ import (
 
 	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
 	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
@@ -70,10 +71,6 @@ func (m *MockServer) SearchDomains() []string {
 	return make([]string, 0)
 }
 
-// ProbeAvailability mocks implementation of ProbeAvailability from the Server interface
-func (m *MockServer) ProbeAvailability() {
-}
-
 func (m *MockServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
 	if m.UpdateServerConfigFunc != nil {
 		return m.UpdateServerConfigFunc(domains)
@@ -85,8 +82,8 @@ func (m *MockServer) PopulateManagementDomain(mgmtURL *url.URL) error {
 	return nil
 }
 
-// SetRouteChecker mock implementation of SetRouteChecker from Server interface
+// SetRouteSources mock implementation of SetRouteSources from Server interface
-func (m *MockServer) SetRouteChecker(func(netip.Addr) bool) {
+func (m *MockServer) SetRouteSources(selected, active func() route.HAMap) {
 	// Mock implementation - no-op
 }
 

client/internal/dns/network_manager_unix.go

@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
+	"slices"
 	"strings"
 	"time"
 
@@ -32,6 +33,15 @@ const (
 	networkManagerDbusDeviceGetAppliedConnectionMethod                              = networkManagerDbusDeviceInterface + ".GetAppliedConnection"
 	networkManagerDbusDeviceReapplyMethod                                           = networkManagerDbusDeviceInterface + ".Reapply"
 	networkManagerDbusDeviceDeleteMethod                                            = networkManagerDbusDeviceInterface + ".Delete"
+	networkManagerDbusDeviceIp4ConfigProperty                                       = networkManagerDbusDeviceInterface + ".Ip4Config"
+	networkManagerDbusDeviceIp6ConfigProperty                                       = networkManagerDbusDeviceInterface + ".Ip6Config"
+	networkManagerDbusDeviceIfaceProperty                                           = networkManagerDbusDeviceInterface + ".Interface"
+	networkManagerDbusGetDevicesMethod                                              = networkManagerDest + ".GetDevices"
+	networkManagerDbusIp4ConfigInterface                                            = "org.freedesktop.NetworkManager.IP4Config"
+	networkManagerDbusIp6ConfigInterface                                            = "org.freedesktop.NetworkManager.IP6Config"
+	networkManagerDbusIp4ConfigNameserverDataProperty                               = networkManagerDbusIp4ConfigInterface + ".NameserverData"
+	networkManagerDbusIp4ConfigNameserversProperty                                  = networkManagerDbusIp4ConfigInterface + ".Nameservers"
+	networkManagerDbusIp6ConfigNameserversProperty                                  = networkManagerDbusIp6ConfigInterface + ".Nameservers"
 	networkManagerDbusDefaultBehaviorFlag              networkManagerConfigBehavior = 0
 	networkManagerDbusIPv4Key                                                       = "ipv4"
 	networkManagerDbusIPv6Key                                                       = "ipv6"
@@ -51,9 +61,10 @@ var supportedNetworkManagerVersionConstraints = []string{
 }
 
 type networkManagerDbusConfigurator struct {
-	dbusLinkObject dbus.ObjectPath
+	dbusLinkObject  dbus.ObjectPath
-	routingAll     bool
+	routingAll      bool
-	ifaceName      string
+	ifaceName       string
+	origNameservers []netip.Addr
 }
 
 // the types below are based on dbus specification, each field is mapped to a dbus type
@@ -92,10 +103,200 @@ func newNetworkManagerDbusConfigurator(wgInterface string) (*networkManagerDbusC
 
 	log.Debugf("got network manager dbus Link Object: %s from net interface %s", s, wgInterface)
 
-	return &networkManagerDbusConfigurator{
+	c := &networkManagerDbusConfigurator{
 		dbusLinkObject: dbus.ObjectPath(s),
 		ifaceName:      wgInterface,
-	}, nil
+	}
+
+	origNameservers, err := c.captureOriginalNameservers()
+	switch {
+	case err != nil:
+		log.Warnf("capture original nameservers from NetworkManager: %v", err)
+	case len(origNameservers) == 0:
+		log.Warnf("no original nameservers captured from non-WG NetworkManager devices; DNS fallback will be empty")
+	default:
+		log.Debugf("captured %d original nameservers from non-WG NetworkManager devices: %v", len(origNameservers), origNameservers)
+	}
+	c.origNameservers = origNameservers
+	return c, nil
+}
+
+// captureOriginalNameservers reads DNS servers from every NM device's
+// IP4Config / IP6Config except our WG device.
+func (n *networkManagerDbusConfigurator) captureOriginalNameservers() ([]netip.Addr, error) {
+	devices, err := networkManagerListDevices()
+	if err != nil {
+		return nil, fmt.Errorf("list devices: %w", err)
+	}
+
+	seen := make(map[netip.Addr]struct{})
+	var out []netip.Addr
+	for _, dev := range devices {
+		if dev == n.dbusLinkObject {
+			continue
+		}
+		ifaceName := readNetworkManagerDeviceInterface(dev)
+		for _, addr := range readNetworkManagerDeviceDNS(dev) {
+			addr = addr.Unmap()
+			if !addr.IsValid() || addr.IsUnspecified() {
+				continue
+			}
+			// IP6Config.Nameservers is a byte slice without zone info;
+			// reattach the device's interface name so a captured fe80::…
+			// stays routable.
+			if addr.IsLinkLocalUnicast() && ifaceName != "" {
+				addr = addr.WithZone(ifaceName)
+			}
+			if _, dup := seen[addr]; dup {
+				continue
+			}
+			seen[addr] = struct{}{}
+			out = append(out, addr)
+		}
+	}
+	return out, nil
+}
+
+func readNetworkManagerDeviceInterface(devicePath dbus.ObjectPath) string {
+	obj, closeConn, err := getDbusObject(networkManagerDest, devicePath)
+	if err != nil {
+		return ""
+	}
+	defer closeConn()
+	v, err := obj.GetProperty(networkManagerDbusDeviceIfaceProperty)
+	if err != nil {
+		return ""
+	}
+	s, _ := v.Value().(string)
+	return s
+}
+
+func networkManagerListDevices() ([]dbus.ObjectPath, error) {
+	obj, closeConn, err := getDbusObject(networkManagerDest, networkManagerDbusObjectNode)
+	if err != nil {
+		return nil, fmt.Errorf("dbus NetworkManager: %w", err)
+	}
+	defer closeConn()
+	var devs []dbus.ObjectPath
+	if err := obj.Call(networkManagerDbusGetDevicesMethod, dbusDefaultFlag).Store(&devs); err != nil {
+		return nil, err
+	}
+	return devs, nil
+}
+
+func readNetworkManagerDeviceDNS(devicePath dbus.ObjectPath) []netip.Addr {
+	obj, closeConn, err := getDbusObject(networkManagerDest, devicePath)
+	if err != nil {
+		return nil
+	}
+	defer closeConn()
+
+	var out []netip.Addr
+	if path := readNetworkManagerConfigPath(obj, networkManagerDbusDeviceIp4ConfigProperty); path != "" {
+		out = append(out, readIPv4ConfigDNS(path)...)
+	}
+	if path := readNetworkManagerConfigPath(obj, networkManagerDbusDeviceIp6ConfigProperty); path != "" {
+		out = append(out, readIPv6ConfigDNS(path)...)
+	}
+	return out
+}
+
+func readNetworkManagerConfigPath(obj dbus.BusObject, property string) dbus.ObjectPath {
+	v, err := obj.GetProperty(property)
+	if err != nil {
+		return ""
+	}
+	path, ok := v.Value().(dbus.ObjectPath)
+	if !ok || path == "/" {
+		return ""
+	}
+	return path
+}
+
+func readIPv4ConfigDNS(path dbus.ObjectPath) []netip.Addr {
+	obj, closeConn, err := getDbusObject(networkManagerDest, path)
+	if err != nil {
+		return nil
+	}
+	defer closeConn()
+
+	// NameserverData (NM 1.13+) carries strings; older NMs only expose the
+	// legacy uint32 Nameservers property.
+	if out := readIPv4NameserverData(obj); len(out) > 0 {
+		return out
+	}
+	return readIPv4LegacyNameservers(obj)
+}
+
+func readIPv4NameserverData(obj dbus.BusObject) []netip.Addr {
+	v, err := obj.GetProperty(networkManagerDbusIp4ConfigNameserverDataProperty)
+	if err != nil {
+		return nil
+	}
+	entries, ok := v.Value().([]map[string]dbus.Variant)
+	if !ok {
+		return nil
+	}
+	var out []netip.Addr
+	for _, entry := range entries {
+		addrVar, ok := entry["address"]
+		if !ok {
+			continue
+		}
+		s, ok := addrVar.Value().(string)
+		if !ok {
+			continue
+		}
+		if a, err := netip.ParseAddr(s); err == nil {
+			out = append(out, a)
+		}
+	}
+	return out
+}
+
+func readIPv4LegacyNameservers(obj dbus.BusObject) []netip.Addr {
+	v, err := obj.GetProperty(networkManagerDbusIp4ConfigNameserversProperty)
+	if err != nil {
+		return nil
+	}
+	raw, ok := v.Value().([]uint32)
+	if !ok {
+		return nil
+	}
+	out := make([]netip.Addr, 0, len(raw))
+	for _, n := range raw {
+		var b [4]byte
+		binary.LittleEndian.PutUint32(b[:], n)
+		out = append(out, netip.AddrFrom4(b))
+	}
+	return out
+}
+
+func readIPv6ConfigDNS(path dbus.ObjectPath) []netip.Addr {
+	obj, closeConn, err := getDbusObject(networkManagerDest, path)
+	if err != nil {
+		return nil
+	}
+	defer closeConn()
+	v, err := obj.GetProperty(networkManagerDbusIp6ConfigNameserversProperty)
+	if err != nil {
+		return nil
+	}
+	raw, ok := v.Value().([][]byte)
+	if !ok {
+		return nil
+	}
+	out := make([]netip.Addr, 0, len(raw))
+	for _, b := range raw {
+		if a, ok := netip.AddrFromSlice(b); ok {
+			out = append(out, a)
+		}
+	}
+	return out
+}
+
+func (n *networkManagerDbusConfigurator) getOriginalNameservers() []netip.Addr {
+	return slices.Clone(n.origNameservers)
 }
 
 func (n *networkManagerDbusConfigurator) supportCustomPort() bool {

client/internal/dns/server_android.go

@@ -1,5 +1,5 @@
 package dns
 
 func (s *DefaultServer) initialize() (manager hostManager, err error) {
-	return newHostManager()
+	return newHostManager(s.hostsDNSHolder)
 }

client/internal/dns/server_test.go

@@ -6,7 +6,7 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"strings"
+	"runtime"
 	"testing"
 	"time"
 
@@ -15,6 +15,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
@@ -31,8 +32,10 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
+	"github.com/netbirdio/netbird/client/proto"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/formatter"
+	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
@@ -101,16 +104,17 @@ func init() {
 	formatter.SetTextFormatter(log.StandardLogger())
 }
 
-func generateDummyHandler(domain string, servers []nbdns.NameServer) *upstreamResolverBase {
+func generateDummyHandler(d string, servers []nbdns.NameServer) *upstreamResolverBase {
 	var srvs []netip.AddrPort
 	for _, srv := range servers {
 		srvs = append(srvs, srv.AddrPort())
 	}
-	return &upstreamResolverBase{
+	u := &upstreamResolverBase{
-		domain:          domain,
+		domain: domain.Domain(d),
-		upstreamServers: srvs,
+		cancel: func() {},
-		cancel:          func() {},
 	}
+	u.addRace(srvs)
+	return u
 }
 
 func TestUpdateDNSServer(t *testing.T) {
@@ -653,74 +657,8 @@ func TestDNSServerStartStop(t *testing.T) {
 	}
 }
 
-func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
-	hostManager := &mockHostConfigurator{}
-	server := DefaultServer{
-		ctx:           context.Background(),
-		service:       NewServiceViaMemory(&mocWGIface{}),
-		localResolver: local.NewResolver(),
-		handlerChain:  NewHandlerChain(),
-		hostManager:   hostManager,
-		currentConfig: HostDNSConfig{
-			Domains: []DomainConfig{
-				{false, "domain0", false},
-				{false, "domain1", false},
-				{false, "domain2", false},
-			},
-		},
-		statusRecorder: peer.NewRecorder("mgm"),
-	}
-
-	var domainsUpdate string
-	hostManager.applyDNSConfigFunc = func(config HostDNSConfig, statemanager *statemanager.Manager) error {
-		domains := []string{}
-		for _, item := range config.Domains {
-			if item.Disabled {
-				continue
-			}
-			domains = append(domains, item.Domain)
-		}
-		domainsUpdate = strings.Join(domains, ",")
-		return nil
-	}
-
-	deactivate, reactivate := server.upstreamCallbacks(&nbdns.NameServerGroup{
-		Domains: []string{"domain1"},
-		NameServers: []nbdns.NameServer{
-			{IP: netip.MustParseAddr("8.8.0.0"), NSType: nbdns.UDPNameServerType, Port: 53},
-		},
-	}, nil, 0)
-
-	deactivate(nil)
-	expected := "domain0,domain2"
-	domains := []string{}
-	for _, item := range server.currentConfig.Domains {
-		if item.Disabled {
-			continue
-		}
-		domains = append(domains, item.Domain)
-	}
-	got := strings.Join(domains, ",")
-	if expected != got {
-		t.Errorf("expected domains list: %q, got %q", expected, got)
-	}
-
-	reactivate()
-	expected = "domain0,domain1,domain2"
-	domains = []string{}
-	for _, item := range server.currentConfig.Domains {
-		if item.Disabled {
-			continue
-		}
-		domains = append(domains, item.Domain)
-	}
-	got = strings.Join(domains, ",")
-	if expected != got {
-		t.Errorf("expected domains list: %q, got %q", expected, domainsUpdate)
-	}
-}
-
 func TestDNSPermanent_updateHostDNS_emptyUpstream(t *testing.T) {
+	skipUnlessAndroid(t)
 	wgIFace, err := createWgInterfaceWithBind(t)
 	if err != nil {
 		t.Fatal("failed to initialize wg interface")
@@ -748,6 +686,7 @@ func TestDNSPermanent_updateHostDNS_emptyUpstream(t *testing.T) {
 }
 
 func TestDNSPermanent_updateUpstream(t *testing.T) {
+	skipUnlessAndroid(t)
 	wgIFace, err := createWgInterfaceWithBind(t)
 	if err != nil {
 		t.Fatal("failed to initialize wg interface")
@@ -841,6 +780,7 @@ func TestDNSPermanent_updateUpstream(t *testing.T) {
 }
 
 func TestDNSPermanent_matchOnly(t *testing.T) {
+	skipUnlessAndroid(t)
 	wgIFace, err := createWgInterfaceWithBind(t)
 	if err != nil {
 		t.Fatal("failed to initialize wg interface")
@@ -913,6 +853,18 @@ func TestDNSPermanent_matchOnly(t *testing.T) {
 	}
 }
 
+// skipUnlessAndroid marks tests that exercise the mobile-permanent DNS path,
+// which only matches a real production setup on android (NewDefaultServerPermanentUpstream
+// + androidHostManager). On non-android the desktop host manager replaces it
+// during Initialize and the assertion stops making sense. Skipped here until we
+// have an android CI runner.
+func skipUnlessAndroid(t *testing.T) {
+	t.Helper()
+	if runtime.GOOS != "android" {
+		t.Skip("requires android runner; mobile-permanent path doesn't match production on this OS")
+	}
+}
+
 func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
 	t.Helper()
 	ov := os.Getenv("NB_WG_KERNEL_DISABLED")
@@ -1065,7 +1017,6 @@ type mockHandler struct {
 
 func (m *mockHandler) ServeDNS(dns.ResponseWriter, *dns.Msg) {}
 func (m *mockHandler) Stop()                                 {}
-func (m *mockHandler) ProbeAvailability(context.Context)     {}
 func (m *mockHandler) ID() types.HandlerID                   { return types.HandlerID(m.Id) }
 
 type mockService struct{}
@@ -2085,6 +2036,598 @@ func TestLocalResolverPriorityConstants(t *testing.T) {
 	assert.Equal(t, "local.example.com", localMuxUpdates[0].domain)
 }
 
+// TestBuildUpstreamHandler_MergesGroupsPerDomain verifies that multiple
+// admin-defined nameserver groups targeting the same domain collapse into a
+// single handler with each group preserved as a sequential inner list.
+func TestBuildUpstreamHandler_MergesGroupsPerDomain(t *testing.T) {
+	wgInterface := &mocWGIface{}
+	service := NewServiceViaMemory(wgInterface)
+	server := &DefaultServer{
+		ctx:           context.Background(),
+		wgInterface:   wgInterface,
+		service:       service,
+		localResolver: local.NewResolver(),
+		handlerChain:  NewHandlerChain(),
+		hostManager:   &noopHostConfigurator{},
+		dnsMuxMap:     make(registeredHandlerMap),
+	}
+
+	groups := []*nbdns.NameServerGroup{
+		{
+			NameServers: []nbdns.NameServer{
+				{IP: netip.MustParseAddr("192.0.2.1"), NSType: nbdns.UDPNameServerType, Port: 53},
+			},
+			Domains: []string{"example.com"},
+		},
+		{
+			NameServers: []nbdns.NameServer{
+				{IP: netip.MustParseAddr("192.0.2.2"), NSType: nbdns.UDPNameServerType, Port: 53},
+				{IP: netip.MustParseAddr("192.0.2.3"), NSType: nbdns.UDPNameServerType, Port: 53},
+			},
+			Domains: []string{"example.com"},
+		},
+	}
+
+	muxUpdates, err := server.buildUpstreamHandlerUpdate(groups)
+	require.NoError(t, err)
+	require.Len(t, muxUpdates, 1, "same-domain groups should merge into one handler")
+	assert.Equal(t, "example.com", muxUpdates[0].domain)
+	assert.Equal(t, PriorityUpstream, muxUpdates[0].priority)
+
+	handler := muxUpdates[0].handler.(*upstreamResolver)
+	require.Len(t, handler.upstreamServers, 2, "handler should have two groups")
+	assert.Equal(t, upstreamRace{netip.MustParseAddrPort("192.0.2.1:53")}, handler.upstreamServers[0])
+	assert.Equal(t, upstreamRace{
+		netip.MustParseAddrPort("192.0.2.2:53"),
+		netip.MustParseAddrPort("192.0.2.3:53"),
+	}, handler.upstreamServers[1])
+}
+
+// TestEvaluateNSGroupHealth covers the records-only verdict. The gate
+// (overlay route selected-but-no-active-peer) is intentionally NOT an
+// input to the evaluator anymore: the verdict drives the Enabled flag,
+// which must always reflect what we actually observed. Gate-aware event
+// suppression is tested separately in the projection test.
+//
+// Matrix per upstream: {no record, fresh Ok, fresh Fail, stale Fail,
+// stale Ok, Ok newer than Fail, Fail newer than Ok}.
+// Group verdict: any fresh-working → Healthy; any fresh-broken with no
+// fresh-working → Unhealthy; otherwise Undecided.
+func TestEvaluateNSGroupHealth(t *testing.T) {
+	now := time.Now()
+	a := netip.MustParseAddrPort("192.0.2.1:53")
+	b := netip.MustParseAddrPort("192.0.2.2:53")
+
+	recentOk := UpstreamHealth{LastOk: now.Add(-2 * time.Second)}
+	recentFail := UpstreamHealth{LastFail: now.Add(-1 * time.Second), LastErr: "timeout"}
+	staleOk := UpstreamHealth{LastOk: now.Add(-10 * time.Minute)}
+	staleFail := UpstreamHealth{LastFail: now.Add(-10 * time.Minute), LastErr: "timeout"}
+	okThenFail := UpstreamHealth{
+		LastOk:   now.Add(-10 * time.Second),
+		LastFail: now.Add(-1 * time.Second),
+		LastErr:  "timeout",
+	}
+	failThenOk := UpstreamHealth{
+		LastOk:   now.Add(-1 * time.Second),
+		LastFail: now.Add(-10 * time.Second),
+		LastErr:  "timeout",
+	}
+
+	tests := []struct {
+		name         string
+		health       map[netip.AddrPort]UpstreamHealth
+		servers      []netip.AddrPort
+		wantVerdict  nsGroupVerdict
+		wantErrSubst string
+	}{
+		{
+			name:        "no record, undecided",
+			servers:     []netip.AddrPort{a},
+			wantVerdict: nsVerdictUndecided,
+		},
+		{
+			name:        "fresh success, healthy",
+			health:      map[netip.AddrPort]UpstreamHealth{a: recentOk},
+			servers:     []netip.AddrPort{a},
+			wantVerdict: nsVerdictHealthy,
+		},
+		{
+			name:         "fresh failure, unhealthy",
+			health:       map[netip.AddrPort]UpstreamHealth{a: recentFail},
+			servers:      []netip.AddrPort{a},
+			wantVerdict:  nsVerdictUnhealthy,
+			wantErrSubst: "timeout",
+		},
+		{
+			name:        "only stale success, undecided",
+			health:      map[netip.AddrPort]UpstreamHealth{a: staleOk},
+			servers:     []netip.AddrPort{a},
+			wantVerdict: nsVerdictUndecided,
+		},
+		{
+			name:        "only stale failure, undecided",
+			health:      map[netip.AddrPort]UpstreamHealth{a: staleFail},
+			servers:     []netip.AddrPort{a},
+			wantVerdict: nsVerdictUndecided,
+		},
+		{
+			name:         "both fresh, fail newer, unhealthy",
+			health:       map[netip.AddrPort]UpstreamHealth{a: okThenFail},
+			servers:      []netip.AddrPort{a},
+			wantVerdict:  nsVerdictUnhealthy,
+			wantErrSubst: "timeout",
+		},
+		{
+			name:        "both fresh, ok newer, healthy",
+			health:      map[netip.AddrPort]UpstreamHealth{a: failThenOk},
+			servers:     []netip.AddrPort{a},
+			wantVerdict: nsVerdictHealthy,
+		},
+		{
+			name: "two upstreams, one success wins",
+			health: map[netip.AddrPort]UpstreamHealth{
+				a: recentFail,
+				b: recentOk,
+			},
+			servers:     []netip.AddrPort{a, b},
+			wantVerdict: nsVerdictHealthy,
+		},
+		{
+			name: "two upstreams, one fail one unseen, unhealthy",
+			health: map[netip.AddrPort]UpstreamHealth{
+				a: recentFail,
+			},
+			servers:      []netip.AddrPort{a, b},
+			wantVerdict:  nsVerdictUnhealthy,
+			wantErrSubst: "timeout",
+		},
+		{
+			name: "two upstreams, all recent failures, unhealthy",
+			health: map[netip.AddrPort]UpstreamHealth{
+				a: {LastFail: now.Add(-5 * time.Second), LastErr: "timeout"},
+				b: {LastFail: now.Add(-1 * time.Second), LastErr: "SERVFAIL"},
+			},
+			servers:      []netip.AddrPort{a, b},
+			wantVerdict:  nsVerdictUnhealthy,
+			wantErrSubst: "SERVFAIL",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			verdict, err := evaluateNSGroupHealth(tc.health, tc.servers, now)
+			assert.Equal(t, tc.wantVerdict, verdict, "verdict mismatch")
+			if tc.wantErrSubst != "" {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tc.wantErrSubst)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+// healthStubHandler is a minimal dnsMuxMap entry that exposes a fixed
+// UpstreamHealth snapshot, letting tests drive recomputeNSGroupStates
+// without spinning up real handlers.
+type healthStubHandler struct {
+	health map[netip.AddrPort]UpstreamHealth
+}
+
+func (h *healthStubHandler) ServeDNS(dns.ResponseWriter, *dns.Msg) {}
+func (h *healthStubHandler) Stop()                                 {}
+func (h *healthStubHandler) ID() types.HandlerID                   { return "health-stub" }
+func (h *healthStubHandler) UpstreamHealth() map[netip.AddrPort]UpstreamHealth {
+	return h.health
+}
+
+// TestProjection_SteadyStateIsSilent guards against duplicate events:
+// while a group stays Unhealthy tick after tick, only the first
+// Unhealthy transition may emit. Same for staying Healthy.
+func TestProjection_SteadyStateIsSilent(t *testing.T) {
+	fx := newProjTestFixture(t)
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	fx.tick()
+	fx.expectEvent("unreachable", "first fail emits warning")
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	fx.tick()
+	fx.tick()
+	fx.expectNoEvent("staying unhealthy must not re-emit")
+
+	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
+	fx.tick()
+	fx.expectEvent("recovered", "recovery on transition")
+
+	fx.tick()
+	fx.tick()
+	fx.expectNoEvent("staying healthy must not re-emit")
+}
+
+// projTestFixture is the common setup for the projection tests: a
+// single-upstream group whose route classification the test can flip by
+// assigning to selected/active. Callers drive failures/successes by
+// mutating stub.health and calling refreshHealth.
+type projTestFixture struct {
+	t        *testing.T
+	recorder *peer.Status
+	events   <-chan *proto.SystemEvent
+	server   *DefaultServer
+	stub     *healthStubHandler
+	group    *nbdns.NameServerGroup
+	srv      netip.AddrPort
+	selected route.HAMap
+	active   route.HAMap
+}
+
+func newProjTestFixture(t *testing.T) *projTestFixture {
+	t.Helper()
+	recorder := peer.NewRecorder("mgm")
+	sub := recorder.SubscribeToEvents()
+	t.Cleanup(func() { recorder.UnsubscribeFromEvents(sub) })
+
+	srv := netip.MustParseAddrPort("100.64.0.1:53")
+	fx := &projTestFixture{
+		t:        t,
+		recorder: recorder,
+		events:   sub.Events(),
+		stub:     &healthStubHandler{health: map[netip.AddrPort]UpstreamHealth{}},
+		srv:      srv,
+		group: &nbdns.NameServerGroup{
+			Domains:     []string{"example.com"},
+			NameServers: []nbdns.NameServer{{IP: srv.Addr(), NSType: nbdns.UDPNameServerType, Port: int(srv.Port())}},
+		},
+	}
+	fx.server = &DefaultServer{
+		ctx:              context.Background(),
+		wgInterface:      &mocWGIface{},
+		statusRecorder:   recorder,
+		dnsMuxMap:        make(registeredHandlerMap),
+		selectedRoutes:   func() route.HAMap { return fx.selected },
+		activeRoutes:     func() route.HAMap { return fx.active },
+		warningDelayBase: defaultWarningDelayBase,
+	}
+	fx.server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: fx.stub, priority: PriorityUpstream}
+
+	fx.server.mux.Lock()
+	fx.server.updateNSGroupStates([]*nbdns.NameServerGroup{fx.group})
+	fx.server.mux.Unlock()
+	return fx
+}
+
+func (f *projTestFixture) setHealth(h UpstreamHealth) {
+	f.stub.health = map[netip.AddrPort]UpstreamHealth{f.srv: h}
+}
+
+func (f *projTestFixture) tick() []peer.NSGroupState {
+	f.server.refreshHealth()
+	return f.recorder.GetDNSStates()
+}
+
+func (f *projTestFixture) expectNoEvent(why string) {
+	f.t.Helper()
+	select {
+	case evt := <-f.events:
+		f.t.Fatalf("unexpected event (%s): %+v", why, evt)
+	case <-time.After(100 * time.Millisecond):
+	}
+}
+
+func (f *projTestFixture) expectEvent(substr, why string) *proto.SystemEvent {
+	f.t.Helper()
+	select {
+	case evt := <-f.events:
+		assert.Contains(f.t, evt.Message, substr, why)
+		return evt
+	case <-time.After(time.Second):
+		f.t.Fatalf("expected event (%s) with %q", why, substr)
+		return nil
+	}
+}
+
+var overlayNetForTest = netip.MustParsePrefix("100.64.0.0/16")
+var overlayMapForTest = route.HAMap{"overlay": {{Network: overlayNetForTest}}}
+
+// TestProjection_PublicFailEmitsImmediately covers rule 1: an upstream
+// that is not inside any selected route (public DNS) fires the warning
+// on the first Unhealthy tick, no grace period.
+func TestProjection_PublicFailEmitsImmediately(t *testing.T) {
+	fx := newProjTestFixture(t)
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	states := fx.tick()
+	require.Len(t, states, 1)
+	assert.False(t, states[0].Enabled)
+	fx.expectEvent("unreachable", "public DNS failure")
+}
+
+// TestProjection_OverlayConnectedFailEmitsImmediately covers rule 2:
+// the upstream is inside a selected route AND the route has a Connected
+// peer. Tunnel is up, failure is real, emit immediately.
+func TestProjection_OverlayConnectedFailEmitsImmediately(t *testing.T) {
+	fx := newProjTestFixture(t)
+	fx.selected = overlayMapForTest
+	fx.active = overlayMapForTest
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	states := fx.tick()
+	require.Len(t, states, 1)
+	assert.False(t, states[0].Enabled)
+	fx.expectEvent("unreachable", "overlay + connected failure")
+}
+
+// TestProjection_OverlayNotConnectedDelaysWarning covers rule 3: the
+// upstream is routed but no peer is Connected (Connecting/Idle/missing).
+// First tick: Unhealthy display, no warning. After the grace window
+// elapses with no recovery, the warning fires.
+func TestProjection_OverlayNotConnectedDelaysWarning(t *testing.T) {
+	grace := 50 * time.Millisecond
+	fx := newProjTestFixture(t)
+	fx.server.warningDelayBase = grace
+	fx.selected = overlayMapForTest
+	// active stays nil: routed but not connected.
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	states := fx.tick()
+	require.Len(t, states, 1)
+	assert.False(t, states[0].Enabled, "display must reflect failure even during grace window")
+	fx.expectNoEvent("first fail tick within grace window")
+
+	time.Sleep(grace + 10*time.Millisecond)
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	fx.tick()
+	fx.expectEvent("unreachable", "warning after grace window")
+}
+
+// TestProjection_OverlayAddrNoRouteDelaysWarning covers an upstream
+// whose address is inside the WireGuard overlay range but is not
+// covered by any selected route (peer-to-peer DNS without an explicit
+// route). Until a peer reports Connected for that address, startup
+// failures must be held just like the routed case.
+func TestProjection_OverlayAddrNoRouteDelaysWarning(t *testing.T) {
+	recorder := peer.NewRecorder("mgm")
+	sub := recorder.SubscribeToEvents()
+	t.Cleanup(func() { recorder.UnsubscribeFromEvents(sub) })
+
+	overlayPeer := netip.MustParseAddrPort("100.66.100.5:53")
+	server := &DefaultServer{
+		ctx:              context.Background(),
+		wgInterface:      &mocWGIface{},
+		statusRecorder:   recorder,
+		dnsMuxMap:        make(registeredHandlerMap),
+		selectedRoutes:   func() route.HAMap { return nil },
+		activeRoutes:     func() route.HAMap { return nil },
+		warningDelayBase: 50 * time.Millisecond,
+	}
+	group := &nbdns.NameServerGroup{
+		Domains:     []string{"example.com"},
+		NameServers: []nbdns.NameServer{{IP: overlayPeer.Addr(), NSType: nbdns.UDPNameServerType, Port: int(overlayPeer.Port())}},
+	}
+	stub := &healthStubHandler{health: map[netip.AddrPort]UpstreamHealth{
+		overlayPeer: {LastFail: time.Now(), LastErr: "timeout"},
+	}}
+	server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: stub, priority: PriorityUpstream}
+
+	server.mux.Lock()
+	server.updateNSGroupStates([]*nbdns.NameServerGroup{group})
+	server.mux.Unlock()
+	server.refreshHealth()
+
+	select {
+	case evt := <-sub.Events():
+		t.Fatalf("unexpected event during grace window: %+v", evt)
+	case <-time.After(100 * time.Millisecond):
+	}
+
+	time.Sleep(60 * time.Millisecond)
+	stub.health = map[netip.AddrPort]UpstreamHealth{overlayPeer: {LastFail: time.Now(), LastErr: "timeout"}}
+	server.refreshHealth()
+
+	select {
+	case evt := <-sub.Events():
+		assert.Contains(t, evt.Message, "unreachable")
+	case <-time.After(time.Second):
+		t.Fatal("expected warning after grace window")
+	}
+}
+
+// TestProjection_StopClearsHealthState verifies that Stop wipes the
+// per-group projection state so a subsequent Start doesn't inherit
+// sticky flags (notably everHealthy) that would bypass the grace
+// window during the next peer handshake.
+func TestProjection_StopClearsHealthState(t *testing.T) {
+	wgIface := &mocWGIface{}
+	server := &DefaultServer{
+		ctx:               context.Background(),
+		wgInterface:       wgIface,
+		service:           NewServiceViaMemory(wgIface),
+		hostManager:       &noopHostConfigurator{},
+		extraDomains:      map[domain.Domain]int{},
+		dnsMuxMap:         make(registeredHandlerMap),
+		statusRecorder:    peer.NewRecorder("mgm"),
+		selectedRoutes:    func() route.HAMap { return nil },
+		activeRoutes:      func() route.HAMap { return nil },
+		warningDelayBase:  defaultWarningDelayBase,
+		currentConfigHash: ^uint64(0),
+	}
+	server.ctx, server.ctxCancel = context.WithCancel(context.Background())
+
+	srv := netip.MustParseAddrPort("8.8.8.8:53")
+	group := &nbdns.NameServerGroup{
+		Domains:     []string{"example.com"},
+		NameServers: []nbdns.NameServer{{IP: srv.Addr(), NSType: nbdns.UDPNameServerType, Port: int(srv.Port())}},
+	}
+	stub := &healthStubHandler{health: map[netip.AddrPort]UpstreamHealth{srv: {LastOk: time.Now()}}}
+	server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: stub, priority: PriorityUpstream}
+
+	server.mux.Lock()
+	server.updateNSGroupStates([]*nbdns.NameServerGroup{group})
+	server.mux.Unlock()
+	server.refreshHealth()
+
+	server.healthProjectMu.Lock()
+	p, ok := server.nsGroupProj[generateGroupKey(group)]
+	server.healthProjectMu.Unlock()
+	require.True(t, ok, "projection state should exist after tick")
+	require.True(t, p.everHealthy, "tick with success must set everHealthy")
+
+	server.Stop()
+
+	server.healthProjectMu.Lock()
+	cleared := server.nsGroupProj == nil
+	server.healthProjectMu.Unlock()
+	assert.True(t, cleared, "Stop must clear nsGroupProj")
+}
+
+// TestProjection_OverlayRecoversDuringGrace covers the happy path of
+// rule 3: startup failures while the peer is handshaking, then the peer
+// comes up and a query succeeds before the grace window elapses. No
+// warning should ever have fired, and no recovery either.
+func TestProjection_OverlayRecoversDuringGrace(t *testing.T) {
+	fx := newProjTestFixture(t)
+	fx.server.warningDelayBase = 200 * time.Millisecond
+	fx.selected = overlayMapForTest
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	fx.tick()
+	fx.expectNoEvent("fail within grace, warning suppressed")
+
+	fx.active = overlayMapForTest
+	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
+	states := fx.tick()
+	require.Len(t, states, 1)
+	assert.True(t, states[0].Enabled)
+	fx.expectNoEvent("recovery without prior warning must not emit")
+}
+
+// TestProjection_RecoveryOnlyAfterWarning enforces the invariant the
+// whole design leans on: recovery events only appear when a warning
+// event was actually emitted for the current streak. A Healthy verdict
+// without a prior warning is silent, so the user never sees "recovered"
+// out of thin air.
+func TestProjection_RecoveryOnlyAfterWarning(t *testing.T) {
+	fx := newProjTestFixture(t)
+
+	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
+	states := fx.tick()
+	require.Len(t, states, 1)
+	assert.True(t, states[0].Enabled)
+	fx.expectNoEvent("first healthy tick should not recover anything")
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	fx.tick()
+	fx.expectEvent("unreachable", "public fail emits immediately")
+
+	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
+	fx.tick()
+	fx.expectEvent("recovered", "recovery follows real warning")
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	fx.tick()
+	fx.expectEvent("unreachable", "second cycle warning")
+
+	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
+	fx.tick()
+	fx.expectEvent("recovered", "second cycle recovery")
+}
+
+// TestProjection_EverHealthyOverridesDelay covers rule 4: once a group
+// has ever been Healthy, subsequent failures skip the grace window even
+// if classification says "routed + not connected". The system has
+// proved it can work, so any new failure is real.
+func TestProjection_EverHealthyOverridesDelay(t *testing.T) {
+	fx := newProjTestFixture(t)
+	// Large base so any emission must come from the everHealthy bypass, not elapsed time.
+	fx.server.warningDelayBase = time.Hour
+	fx.selected = overlayMapForTest
+	fx.active = overlayMapForTest
+
+	// Establish "ever healthy".
+	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
+	fx.tick()
+	fx.expectNoEvent("first healthy tick")
+
+	// Peer drops. Query fails. Routed + not connected → normally grace,
+	// but everHealthy flag bypasses it.
+	fx.active = nil
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	fx.tick()
+	fx.expectEvent("unreachable", "failure after ever-healthy must be immediate")
+}
+
+// TestProjection_ReconnectBlipEmitsPair covers the explicit tradeoff
+// from the design discussion: once a group has been healthy, a brief
+// reconnect that produces a failing tick will fire warning + recovery.
+// This is by design: user-visible blips are accurate signal, not noise.
+func TestProjection_ReconnectBlipEmitsPair(t *testing.T) {
+	fx := newProjTestFixture(t)
+	fx.selected = overlayMapForTest
+	fx.active = overlayMapForTest
+
+	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
+	fx.tick()
+
+	fx.setHealth(UpstreamHealth{LastFail: time.Now(), LastErr: "timeout"})
+	fx.tick()
+	fx.expectEvent("unreachable", "blip warning")
+
+	fx.setHealth(UpstreamHealth{LastOk: time.Now()})
+	fx.tick()
+	fx.expectEvent("recovered", "blip recovery")
+}
+
+// TestProjection_MixedGroupEmitsImmediately covers the multi-upstream
+// rule: a group with at least one public upstream is in the "immediate"
+// category regardless of the other upstreams' routing, because the
+// public one has no peer-startup excuse. Prevents public-DNS failures
+// from being hidden behind a routed sibling.
+func TestProjection_MixedGroupEmitsImmediately(t *testing.T) {
+	recorder := peer.NewRecorder("mgm")
+	sub := recorder.SubscribeToEvents()
+	t.Cleanup(func() { recorder.UnsubscribeFromEvents(sub) })
+	events := sub.Events()
+
+	public := netip.MustParseAddrPort("8.8.8.8:53")
+	overlay := netip.MustParseAddrPort("100.64.0.1:53")
+	overlayMap := route.HAMap{"overlay": {{Network: netip.MustParsePrefix("100.64.0.0/16")}}}
+
+	server := &DefaultServer{
+		ctx:              context.Background(),
+		statusRecorder:   recorder,
+		dnsMuxMap:        make(registeredHandlerMap),
+		selectedRoutes:   func() route.HAMap { return overlayMap },
+		activeRoutes:     func() route.HAMap { return nil },
+		warningDelayBase: time.Hour,
+	}
+	group := &nbdns.NameServerGroup{
+		Domains: []string{"example.com"},
+		NameServers: []nbdns.NameServer{
+			{IP: public.Addr(), NSType: nbdns.UDPNameServerType, Port: int(public.Port())},
+			{IP: overlay.Addr(), NSType: nbdns.UDPNameServerType, Port: int(overlay.Port())},
+		},
+	}
+	stub := &healthStubHandler{
+		health: map[netip.AddrPort]UpstreamHealth{
+			public:  {LastFail: time.Now(), LastErr: "servfail"},
+			overlay: {LastFail: time.Now(), LastErr: "timeout"},
+		},
+	}
+	server.dnsMuxMap["example.com"] = handlerWrapper{domain: "example.com", handler: stub, priority: PriorityUpstream}
+
+	server.mux.Lock()
+	server.updateNSGroupStates([]*nbdns.NameServerGroup{group})
+	server.mux.Unlock()
+	server.refreshHealth()
+
+	select {
+	case evt := <-events:
+		assert.Contains(t, evt.Message, "unreachable")
+	case <-time.After(time.Second):
+		t.Fatal("expected immediate warning because group contains a public upstream")
+	}
+}
+
 func TestDNSLoopPrevention(t *testing.T) {
 	wgInterface := &mocWGIface{}
 	service := NewServiceViaMemory(wgInterface)
@@ -2183,17 +2726,18 @@ func TestDNSLoopPrevention(t *testing.T) {
 
 			if tt.expectedHandlers > 0 {
 				handler := muxUpdates[0].handler.(*upstreamResolver)
-				assert.Len(t, handler.upstreamServers, len(tt.expectedServers))
+				flat := handler.flatUpstreams()
+				assert.Len(t, flat, len(tt.expectedServers))
 
 				if tt.shouldFilterOwnIP {
-					for _, upstream := range handler.upstreamServers {
+					for _, upstream := range flat {
 						assert.NotEqual(t, dnsServerIP, upstream.Addr())
 					}
 				}
 
 				for _, expected := range tt.expectedServers {
 					found := false
-					for _, upstream := range handler.upstreamServers {
+					for _, upstream := range flat {
 						if upstream.Addr() == expected {
 							found = true
 							break

client/internal/dns/systemd_linux.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"slices"
 	"time"
 
 	"github.com/godbus/dbus/v5"
@@ -40,10 +41,17 @@ const (
 )
 
 type systemdDbusConfigurator struct {
-	dbusLinkObject dbus.ObjectPath
+	dbusLinkObject  dbus.ObjectPath
-	ifaceName      string
+	ifaceName       string
+	wgIndex         int
+	origNameservers []netip.Addr
 }
 
+const (
+	systemdDbusLinkDNSProperty          = systemdDbusLinkInterface + ".DNS"
+	systemdDbusLinkDefaultRouteProperty = systemdDbusLinkInterface + ".DefaultRoute"
+)
+
 // the types below are based on dbus specification, each field is mapped to a dbus type
 // see https://dbus.freedesktop.org/doc/dbus-specification.html#basic-types for more details on dbus types
 // see https://www.freedesktop.org/software/systemd/man/org.freedesktop.resolve1.html on resolve1 input types
@@ -79,10 +87,145 @@ func newSystemdDbusConfigurator(wgInterface string) (*systemdDbusConfigurator, e
 
 	log.Debugf("got dbus Link interface: %s from net interface %s and index %d", s, iface.Name, iface.Index)
 
-	return &systemdDbusConfigurator{
+	c := &systemdDbusConfigurator{
 		dbusLinkObject: dbus.ObjectPath(s),
 		ifaceName:      wgInterface,
-	}, nil
+		wgIndex:        iface.Index,
+	}
+
+	origNameservers, err := c.captureOriginalNameservers()
+	switch {
+	case err != nil:
+		log.Warnf("capture original nameservers from systemd-resolved: %v", err)
+	case len(origNameservers) == 0:
+		log.Warnf("no original nameservers captured from systemd-resolved default-route links; DNS fallback will be empty")
+	default:
+		log.Debugf("captured %d original nameservers from systemd-resolved default-route links: %v", len(origNameservers), origNameservers)
+	}
+	c.origNameservers = origNameservers
+	return c, nil
+}
+
+// captureOriginalNameservers reads per-link DNS from systemd-resolved for
+// every default-route link except our own WG link. Non-default-route links
+// (VPNs, docker bridges) are skipped because their upstreams wouldn't
+// actually serve host queries.
+func (s *systemdDbusConfigurator) captureOriginalNameservers() ([]netip.Addr, error) {
+	ifaces, err := net.Interfaces()
+	if err != nil {
+		return nil, fmt.Errorf("list interfaces: %w", err)
+	}
+
+	seen := make(map[netip.Addr]struct{})
+	var out []netip.Addr
+	for _, iface := range ifaces {
+		if !s.isCandidateLink(iface) {
+			continue
+		}
+		linkPath, err := getSystemdLinkPath(iface.Index)
+		if err != nil || !isSystemdLinkDefaultRoute(linkPath) {
+			continue
+		}
+		for _, addr := range readSystemdLinkDNS(linkPath) {
+			addr = normalizeSystemdAddr(addr, iface.Name)
+			if !addr.IsValid() {
+				continue
+			}
+			if _, dup := seen[addr]; dup {
+				continue
+			}
+			seen[addr] = struct{}{}
+			out = append(out, addr)
+		}
+	}
+	return out, nil
+}
+
+func (s *systemdDbusConfigurator) isCandidateLink(iface net.Interface) bool {
+	if iface.Index == s.wgIndex {
+		return false
+	}
+	if iface.Flags&net.FlagLoopback != 0 || iface.Flags&net.FlagUp == 0 {
+		return false
+	}
+	return true
+}
+
+// normalizeSystemdAddr unmaps v4-mapped-v6, drops unspecified, and reattaches
+// the link's iface name as zone for link-local v6 (Link.DNS strips it).
+// Returns the zero Addr to signal "skip this entry".
+func normalizeSystemdAddr(addr netip.Addr, ifaceName string) netip.Addr {
+	addr = addr.Unmap()
+	if !addr.IsValid() || addr.IsUnspecified() {
+		return netip.Addr{}
+	}
+	if addr.IsLinkLocalUnicast() {
+		return addr.WithZone(ifaceName)
+	}
+	return addr
+}
+
+func getSystemdLinkPath(ifIndex int) (dbus.ObjectPath, error) {
+	obj, closeConn, err := getDbusObject(systemdResolvedDest, systemdDbusObjectNode)
+	if err != nil {
+		return "", fmt.Errorf("dbus resolve1: %w", err)
+	}
+	defer closeConn()
+	var p string
+	if err := obj.Call(systemdDbusGetLinkMethod, dbusDefaultFlag, int32(ifIndex)).Store(&p); err != nil {
+		return "", err
+	}
+	return dbus.ObjectPath(p), nil
+}
+
+func isSystemdLinkDefaultRoute(linkPath dbus.ObjectPath) bool {
+	obj, closeConn, err := getDbusObject(systemdResolvedDest, linkPath)
+	if err != nil {
+		return false
+	}
+	defer closeConn()
+	v, err := obj.GetProperty(systemdDbusLinkDefaultRouteProperty)
+	if err != nil {
+		return false
+	}
+	b, ok := v.Value().(bool)
+	return ok && b
+}
+
+func readSystemdLinkDNS(linkPath dbus.ObjectPath) []netip.Addr {
+	obj, closeConn, err := getDbusObject(systemdResolvedDest, linkPath)
+	if err != nil {
+		return nil
+	}
+	defer closeConn()
+	v, err := obj.GetProperty(systemdDbusLinkDNSProperty)
+	if err != nil {
+		return nil
+	}
+	entries, ok := v.Value().([][]any)
+	if !ok {
+		return nil
+	}
+	var out []netip.Addr
+	for _, entry := range entries {
+		if len(entry) < 2 {
+			continue
+		}
+		raw, ok := entry[1].([]byte)
+		if !ok {
+			continue
+		}
+		addr, ok := netip.AddrFromSlice(raw)
+		if !ok {
+			continue
+		}
+		out = append(out, addr)
+	}
+	return out
+}
+
+func (s *systemdDbusConfigurator) getOriginalNameservers() []netip.Addr {
+	return slices.Clone(s.origNameservers)
 }
 
 func (s *systemdDbusConfigurator) supportCustomPort() bool {

client/internal/dns/upstream.go

@@ -1,3 +1,32 @@
+// Package dns implements the client-side DNS stack: listener/service on the
+// peer's tunnel address, handler chain that routes questions by domain and
+// priority, and upstream resolvers that forward what remains to configured
+// nameservers.
+//
+// # Upstream resolution and the race model
+//
+// When two or more nameserver groups target the same domain, DefaultServer
+// merges them into one upstream handler whose state is:
+//
+//	upstreamResolverBase
+//	  └── upstreamServers []upstreamRace   // one entry per source NS group
+//	        └── []netip.AddrPort           // primary, fallback, ...
+//
+// Each source nameserver group contributes one upstreamRace. Within a race
+// upstreams are tried in order: the next is used only on failure (timeout,
+// SERVFAIL, REFUSED, no response). NXDOMAIN is a valid answer and stops
+// the walk. When more than one race exists, ServeDNS fans out one
+// goroutine per race and returns the first valid answer, cancelling the
+// rest. A handler with a single race skips the fan-out.
+//
+// # Health projection
+//
+// Query outcomes are recorded per-upstream in UpstreamHealth. The server
+// periodically merges these snapshots across handlers and projects them
+// into peer.NSGroupState. There is no active probing: a group is marked
+// unhealthy only when every seen upstream has a recent failure and none
+// has a recent success. Healthy→unhealthy fires a single
+// SystemEvent_WARNING; steady-state refreshes do not duplicate it.
 package dns
 
 import (
@@ -11,11 +40,8 @@ import (
 	"slices"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"
 
-	"github.com/cenkalti/backoff/v4"
-	"github.com/hashicorp/go-multierror"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/tun/netstack"
@@ -25,7 +51,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal/dns/resutil"
 	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
 var currentMTU uint16 = iface.DefaultMTU
@@ -67,15 +94,17 @@ const (
 	// Set longer than UpstreamTimeout to ensure context timeout takes precedence
 	ClientTimeout = 5 * time.Second
 
-	reactivatePeriod = 30 * time.Second
-	probeTimeout     = 2 * time.Second
-
 	// ipv6HeaderSize + udpHeaderSize, used to derive the maximum DNS UDP
 	// payload from the tunnel MTU.
 	ipUDPHeaderSize = 60 + 8
-)
 
-const testRecord = "com."
+	// raceMaxTotalTimeout caps the combined time spent walking all upstreams
+	// within one race, so a slow primary can't eat the whole race budget.
+	raceMaxTotalTimeout = 5 * time.Second
+	// raceMinPerUpstreamTimeout is the floor applied when dividing
+	// raceMaxTotalTimeout across upstreams within a race.
+	raceMinPerUpstreamTimeout = 2 * time.Second
+)
 
 const (
 	protoUDP = "udp"
@@ -84,6 +113,69 @@ const (
 
 type dnsProtocolKey struct{}
 
+type upstreamProtocolKey struct{}
+
+// upstreamProtocolResult holds the protocol used for the upstream exchange.
+// Stored as a pointer in context so the exchange function can set it.
+type upstreamProtocolResult struct {
+	protocol string
+}
+
+type upstreamClient interface {
+	exchange(ctx context.Context, upstream string, r *dns.Msg) (*dns.Msg, time.Duration, error)
+}
+
+type UpstreamResolver interface {
+	serveDNS(r *dns.Msg) (*dns.Msg, time.Duration, error)
+	upstreamExchange(upstream string, r *dns.Msg) (*dns.Msg, time.Duration, error)
+}
+
+// upstreamRace is an ordered list of upstreams derived from one configured
+// nameserver group. Order matters: the first upstream is tried first, the
+// second only on failure, and so on. Multiple upstreamRace values coexist
+// inside one resolver when overlapping nameserver groups target the same
+// domain; those races run in parallel and the first valid answer wins.
+type upstreamRace []netip.AddrPort
+
+// UpstreamHealth is the last query-path outcome for a single upstream,
+// consumed by nameserver-group status projection.
+type UpstreamHealth struct {
+	LastOk   time.Time
+	LastFail time.Time
+	LastErr  string
+}
+
+type upstreamResolverBase struct {
+	ctx             context.Context
+	cancel          context.CancelFunc
+	upstreamClient  upstreamClient
+	upstreamServers []upstreamRace
+	domain          domain.Domain
+	upstreamTimeout time.Duration
+
+	healthMu sync.RWMutex
+	health   map[netip.AddrPort]*UpstreamHealth
+
+	statusRecorder *peer.Status
+	// selectedRoutes returns the current set of client routes the admin
+	// has enabled. Called lazily from the query hot path when an upstream
+	// might need a tunnel-bound client (iOS) and from health projection.
+	selectedRoutes func() route.HAMap
+}
+
+type upstreamFailure struct {
+	upstream netip.AddrPort
+	reason   string
+}
+
+type raceResult struct {
+	msg      *dns.Msg
+	upstream netip.AddrPort
+	protocol string
+	ede      string
+	failures []upstreamFailure
+}
+
 // contextWithDNSProtocol stores the inbound DNS protocol ("udp" or "tcp") in context.
 func contextWithDNSProtocol(ctx context.Context, network string) context.Context {
 	return context.WithValue(ctx, dnsProtocolKey{}, network)
@@ -100,16 +192,8 @@ func dnsProtocolFromContext(ctx context.Context) string {
 	return ""
 }
 
-type upstreamProtocolKey struct{}
+// contextWithUpstreamProtocolResult stores a mutable result holder in the context.
-
+func contextWithUpstreamProtocolResult(ctx context.Context) (context.Context, *upstreamProtocolResult) {
-// upstreamProtocolResult holds the protocol used for the upstream exchange.
-// Stored as a pointer in context so the exchange function can set it.
-type upstreamProtocolResult struct {
-	protocol string
-}
-
-// contextWithupstreamProtocolResult stores a mutable result holder in the context.
-func contextWithupstreamProtocolResult(ctx context.Context) (context.Context, *upstreamProtocolResult) {
 	r := &upstreamProtocolResult{}
 	return context.WithValue(ctx, upstreamProtocolKey{}, r), r
 }
@@ -124,67 +208,37 @@ func setUpstreamProtocol(ctx context.Context, protocol string) {
 	}
 }
 
-type upstreamClient interface {
+func newUpstreamResolverBase(ctx context.Context, statusRecorder *peer.Status, d domain.Domain) *upstreamResolverBase {
-	exchange(ctx context.Context, upstream string, r *dns.Msg) (*dns.Msg, time.Duration, error)
-}
-
-type UpstreamResolver interface {
-	serveDNS(r *dns.Msg) (*dns.Msg, time.Duration, error)
-	upstreamExchange(upstream string, r *dns.Msg) (*dns.Msg, time.Duration, error)
-}
-
-type upstreamResolverBase struct {
-	ctx              context.Context
-	cancel           context.CancelFunc
-	upstreamClient   upstreamClient
-	upstreamServers  []netip.AddrPort
-	domain           string
-	disabled         bool
-	successCount     atomic.Int32
-	mutex            sync.Mutex
-	reactivatePeriod time.Duration
-	upstreamTimeout  time.Duration
-	wg               sync.WaitGroup
-
-	deactivate     func(error)
-	reactivate     func()
-	statusRecorder *peer.Status
-	routeMatch     func(netip.Addr) bool
-}
-
-type upstreamFailure struct {
-	upstream netip.AddrPort
-	reason   string
-}
-
-func newUpstreamResolverBase(ctx context.Context, statusRecorder *peer.Status, domain string) *upstreamResolverBase {
 	ctx, cancel := context.WithCancel(ctx)
 
 	return &upstreamResolverBase{
-		ctx:              ctx,
+		ctx:             ctx,
-		cancel:           cancel,
+		cancel:          cancel,
-		domain:           domain,
+		domain:          d,
-		upstreamTimeout:  UpstreamTimeout,
+		upstreamTimeout: UpstreamTimeout,
-		reactivatePeriod: reactivatePeriod,
+		statusRecorder:  statusRecorder,
-		statusRecorder:   statusRecorder,
 	}
 }
 
 // String returns a string representation of the upstream resolver
 func (u *upstreamResolverBase) String() string {
-	return fmt.Sprintf("Upstream %s", u.upstreamServers)
+	return fmt.Sprintf("Upstream %s", u.flatUpstreams())
 }
 
-// ID returns the unique handler ID
+// ID returns the unique handler ID. Race groupings and within-race
+// ordering are both part of the identity: [[A,B]] and [[A],[B]] query
+// the same servers but with different semantics (serial fallback vs
+// parallel race), so their handlers must not collide.
 func (u *upstreamResolverBase) ID() types.HandlerID {
-	servers := slices.Clone(u.upstreamServers)
-	slices.SortFunc(servers, func(a, b netip.AddrPort) int { return a.Compare(b) })
-
 	hash := sha256.New()
-	hash.Write([]byte(u.domain + ":"))
+	hash.Write([]byte(u.domain.PunycodeString() + ":"))
-	for _, s := range servers {
+	for _, race := range u.upstreamServers {
-		hash.Write([]byte(s.String()))
+		hash.Write([]byte("["))
-		hash.Write([]byte("|"))
+		for _, s := range race {
+			hash.Write([]byte(s.String()))
+			hash.Write([]byte("|"))
+		}
+		hash.Write([]byte("]"))
 	}
 	return types.HandlerID("upstream-" + hex.EncodeToString(hash.Sum(nil)[:8]))
 }
@@ -194,13 +248,31 @@ func (u *upstreamResolverBase) MatchSubdomains() bool {
 }
 
 func (u *upstreamResolverBase) Stop() {
-	log.Debugf("stopping serving DNS for upstreams %s", u.upstreamServers)
+	log.Debugf("stopping serving DNS for upstreams %s", u.flatUpstreams())
 	u.cancel()
+}
 
-	u.mutex.Lock()
+// flatUpstreams is for logging and ID hashing only, not for dispatch.
-	u.wg.Wait()
+func (u *upstreamResolverBase) flatUpstreams() []netip.AddrPort {
-	u.mutex.Unlock()
+	var out []netip.AddrPort
+	for _, g := range u.upstreamServers {
+		out = append(out, g...)
+	}
+	return out
+}
 
+// setSelectedRoutes swaps the accessor used to classify overlay-routed
+// upstreams. Called when route sources are wired after the handler was
+// built (permanent / iOS constructors).
+func (u *upstreamResolverBase) setSelectedRoutes(selected func() route.HAMap) {
+	u.selectedRoutes = selected
+}
+
+func (u *upstreamResolverBase) addRace(servers []netip.AddrPort) {
+	if len(servers) == 0 {
+		return
+	}
+	u.upstreamServers = append(u.upstreamServers, slices.Clone(servers))
 }
 
 // ServeDNS handles a DNS request
@@ -242,82 +314,201 @@ func (u *upstreamResolverBase) prepareRequest(r *dns.Msg) {
 }
 
 func (u *upstreamResolverBase) tryUpstreamServers(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, logger *log.Entry) (bool, []upstreamFailure) {
-	timeout := u.upstreamTimeout
+	groups := u.upstreamServers
-	if len(u.upstreamServers) > 1 {
+	switch len(groups) {
-		maxTotal := 5 * time.Second
+	case 0:
-		minPerUpstream := 2 * time.Second
+		return false, nil
-		scaledTimeout := maxTotal / time.Duration(len(u.upstreamServers))
+	case 1:
-		if scaledTimeout > minPerUpstream {
+		return u.tryOnlyRace(ctx, w, r, groups[0], logger)
-			timeout = scaledTimeout
+	default:
-		} else {
+		return u.raceAll(ctx, w, r, groups, logger)
-			timeout = minPerUpstream
+	}
-		}
+}
+
+func (u *upstreamResolverBase) tryOnlyRace(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, group upstreamRace, logger *log.Entry) (bool, []upstreamFailure) {
+	res := u.tryRace(ctx, r, group)
+	if res.msg == nil {
+		return false, res.failures
+	}
+	if res.ede != "" {
+		resutil.SetMeta(w, "ede", res.ede)
+	}
+	u.writeSuccessResponse(w, res.msg, res.upstream, r.Question[0].Name, res.protocol, logger)
+	return true, res.failures
+}
+
+// raceAll runs one worker per group in parallel, taking the first valid
+// answer and cancelling the rest.
+func (u *upstreamResolverBase) raceAll(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, groups []upstreamRace, logger *log.Entry) (bool, []upstreamFailure) {
+	raceCtx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	// Buffer sized to len(groups) so workers never block on send, even
+	// after the coordinator has returned.
+	results := make(chan raceResult, len(groups))
+	for _, g := range groups {
+		// tryRace clones the request per attempt, so workers never share
+		// a *dns.Msg and concurrent EDNS0 mutations can't race.
+		go func(g upstreamRace) {
+			results <- u.tryRace(raceCtx, r, g)
+		}(g)
 	}
 
 	var failures []upstreamFailure
-	for _, upstream := range u.upstreamServers {
+	for range groups {
-		if failure := u.queryUpstream(ctx, w, r, upstream, timeout, logger); failure != nil {
+		select {
-			failures = append(failures, *failure)
+		case res := <-results:
-		} else {
+			failures = append(failures, res.failures...)
-			return true, failures
+			if res.msg != nil {
+				if res.ede != "" {
+					resutil.SetMeta(w, "ede", res.ede)
+				}
+				u.writeSuccessResponse(w, res.msg, res.upstream, r.Question[0].Name, res.protocol, logger)
+				return true, failures
+			}
+		case <-ctx.Done():
+			return false, failures
 		}
 	}
 	return false, failures
 }
 
-// queryUpstream queries a single upstream server. Returns nil on success, or failure info to try next upstream.
+func (u *upstreamResolverBase) tryRace(ctx context.Context, r *dns.Msg, group upstreamRace) raceResult {
-func (u *upstreamResolverBase) queryUpstream(parentCtx context.Context, w dns.ResponseWriter, r *dns.Msg, upstream netip.AddrPort, timeout time.Duration, logger *log.Entry) *upstreamFailure {
+	timeout := u.upstreamTimeout
-	var rm *dns.Msg
+	if len(group) > 1 {
-	var t time.Duration
+		// Cap the whole walk at raceMaxTotalTimeout: per-upstream timeouts
-	var err error
+		// still honor raceMinPerUpstreamTimeout as a floor for correctness
+		// on slow links, but the outer context ensures the combined walk
+		// cannot exceed the cap regardless of group size.
+		timeout = max(raceMaxTotalTimeout/time.Duration(len(group)), raceMinPerUpstreamTimeout)
+		var cancel context.CancelFunc
+		ctx, cancel = context.WithTimeout(ctx, raceMaxTotalTimeout)
+		defer cancel()
+	}
+
+	var failures []upstreamFailure
+	for _, upstream := range group {
+		if ctx.Err() != nil {
+			return raceResult{failures: failures}
+		}
+		// Clone the request per attempt: the exchange path mutates EDNS0
+		// options in-place, so reusing the same *dns.Msg across sequential
+		// upstreams would carry those mutations (e.g. a reduced UDP size)
+		// into the next attempt.
+		res, failure := u.queryUpstream(ctx, r.Copy(), upstream, timeout)
+		if failure != nil {
+			failures = append(failures, *failure)
+			continue
+		}
+		res.failures = failures
+		return res
+	}
+	return raceResult{failures: failures}
+}
+
+func (u *upstreamResolverBase) queryUpstream(parentCtx context.Context, r *dns.Msg, upstream netip.AddrPort, timeout time.Duration) (raceResult, *upstreamFailure) {
+	ctx, cancel := context.WithTimeout(parentCtx, timeout)
+	defer cancel()
+	ctx, upstreamProto := contextWithUpstreamProtocolResult(ctx)
 
 	// Advertise EDNS0 so the upstream may include Extended DNS Errors
 	// (RFC 8914) in failure responses; we use those to short-circuit
 	// failover for definitive answers like DNSSEC validation failures.
-	// Operate on a copy so the inbound request is unchanged: a client that
+	// The caller already passed a per-attempt copy, so we can mutate r
-	// did not advertise EDNS0 must not see an OPT in the response.
+	// directly; hadEdns reflects the original client request's state and
+	// controls whether we strip the OPT from the response.
 	hadEdns := r.IsEdns0() != nil
-	reqUp := r
 	if !hadEdns {
-		reqUp = r.Copy()
+		r.SetEdns0(upstreamUDPSize(), false)
-		reqUp.SetEdns0(upstreamUDPSize(), false)
 	}
 
-	var startTime time.Time
+	startTime := time.Now()
-	var upstreamProto *upstreamProtocolResult
+	rm, _, err := u.upstreamClient.exchange(ctx, upstream.String(), r)
-	func() {
-		ctx, cancel := context.WithTimeout(parentCtx, timeout)
-		defer cancel()
-		ctx, upstreamProto = contextWithupstreamProtocolResult(ctx)
-		startTime = time.Now()
-		rm, t, err = u.upstreamClient.exchange(ctx, upstream.String(), reqUp)
-	}()
 
 	if err != nil {
-		return u.handleUpstreamError(err, upstream, startTime)
+		// A parent cancellation (e.g., another race won and the coordinator
+		// cancelled the losers) is not an upstream failure. Check both the
+		// error chain and the parent context: a transport may surface the
+		// cancellation as a read/deadline error rather than context.Canceled.
+		if errors.Is(err, context.Canceled) || errors.Is(parentCtx.Err(), context.Canceled) {
+			return raceResult{}, &upstreamFailure{upstream: upstream, reason: "canceled"}
+		}
+		failure := u.handleUpstreamError(err, upstream, startTime)
+		u.markUpstreamFail(upstream, failure.reason)
+		return raceResult{}, failure
 	}
 
 	if rm == nil || !rm.Response {
-		return &upstreamFailure{upstream: upstream, reason: "no response"}
+		u.markUpstreamFail(upstream, "no response")
+		return raceResult{}, &upstreamFailure{upstream: upstream, reason: "no response"}
+	}
+
+	proto := ""
+	if upstreamProto != nil {
+		proto = upstreamProto.protocol
 	}
 
 	if rm.Rcode == dns.RcodeServerFailure || rm.Rcode == dns.RcodeRefused {
 		if code, ok := nonRetryableEDE(rm); ok {
-			resutil.SetMeta(w, "ede", edeName(code))
 			if !hadEdns {
 				stripOPT(rm)
 			}
-			u.writeSuccessResponse(w, rm, upstream, r.Question[0].Name, t, upstreamProto, logger)
+			u.markUpstreamOk(upstream)
-			return nil
+			return raceResult{msg: rm, upstream: upstream, protocol: proto, ede: edeName(code)}, nil
 		}
-		return &upstreamFailure{upstream: upstream, reason: dns.RcodeToString[rm.Rcode]}
+		reason := dns.RcodeToString[rm.Rcode]
+		u.markUpstreamFail(upstream, reason)
+		return raceResult{}, &upstreamFailure{upstream: upstream, reason: reason}
 	}
 
 	if !hadEdns {
 		stripOPT(rm)
 	}
-	u.writeSuccessResponse(w, rm, upstream, r.Question[0].Name, t, upstreamProto, logger)
+
-	return nil
+	u.markUpstreamOk(upstream)
+	return raceResult{msg: rm, upstream: upstream, protocol: proto}, nil
+}
+
+// healthEntry returns the mutable health record for addr, lazily creating
+// the map and the entry. Caller must hold u.healthMu.
+func (u *upstreamResolverBase) healthEntry(addr netip.AddrPort) *UpstreamHealth {
+	if u.health == nil {
+		u.health = make(map[netip.AddrPort]*UpstreamHealth)
+	}
+	h := u.health[addr]
+	if h == nil {
+		h = &UpstreamHealth{}
+		u.health[addr] = h
+	}
+	return h
+}
+
+func (u *upstreamResolverBase) markUpstreamOk(addr netip.AddrPort) {
+	u.healthMu.Lock()
+	defer u.healthMu.Unlock()
+	h := u.healthEntry(addr)
+	h.LastOk = time.Now()
+	h.LastFail = time.Time{}
+	h.LastErr = ""
+}
+
+func (u *upstreamResolverBase) markUpstreamFail(addr netip.AddrPort, reason string) {
+	u.healthMu.Lock()
+	defer u.healthMu.Unlock()
+	h := u.healthEntry(addr)
+	h.LastFail = time.Now()
+	h.LastErr = reason
+}
+
+// UpstreamHealth returns a snapshot of per-upstream query outcomes.
+func (u *upstreamResolverBase) UpstreamHealth() map[netip.AddrPort]UpstreamHealth {
+	u.healthMu.RLock()
+	defer u.healthMu.RUnlock()
+	out := make(map[netip.AddrPort]UpstreamHealth, len(u.health))
+	for k, v := range u.health {
+		out[k] = *v
+	}
+	return out
 }
 
 // upstreamUDPSize returns the EDNS0 UDP buffer size we advertise to upstreams,
@@ -358,12 +549,23 @@ func (u *upstreamResolverBase) handleUpstreamError(err error, upstream netip.Add
 	return &upstreamFailure{upstream: upstream, reason: reason}
 }
 
-func (u *upstreamResolverBase) writeSuccessResponse(w dns.ResponseWriter, rm *dns.Msg, upstream netip.AddrPort, domain string, t time.Duration, upstreamProto *upstreamProtocolResult, logger *log.Entry) bool {
+func (u *upstreamResolverBase) debugUpstreamTimeout(upstream netip.AddrPort) string {
-	u.successCount.Add(1)
+	if u.statusRecorder == nil {
+		return ""
+	}
 
+	peerInfo := findPeerForIP(upstream.Addr(), u.statusRecorder)
+	if peerInfo == nil {
+		return ""
+	}
+
+	return fmt.Sprintf("(routes through NetBird peer %s)", FormatPeerStatus(peerInfo))
+}
+
+func (u *upstreamResolverBase) writeSuccessResponse(w dns.ResponseWriter, rm *dns.Msg, upstream netip.AddrPort, domain string, proto string, logger *log.Entry) {
 	resutil.SetMeta(w, "upstream", upstream.String())
-	if upstreamProto != nil && upstreamProto.protocol != "" {
+	if proto != "" {
-		resutil.SetMeta(w, "upstream_protocol", upstreamProto.protocol)
+		resutil.SetMeta(w, "upstream_protocol", proto)
 	}
 
 	// Clear Zero bit from external responses to prevent upstream servers from
@@ -372,14 +574,11 @@ func (u *upstreamResolverBase) writeSuccessResponse(w dns.ResponseWriter, rm *dn
 
 	if err := w.WriteMsg(rm); err != nil {
 		logger.Errorf("failed to write DNS response for question domain=%s: %s", domain, err)
-		return true
 	}
-
-	return true
 }
 
 func (u *upstreamResolverBase) logUpstreamFailures(domain string, failures []upstreamFailure, succeeded bool, logger *log.Entry) {
-	totalUpstreams := len(u.upstreamServers)
+	totalUpstreams := len(u.flatUpstreams())
 	failedCount := len(failures)
 	failureSummary := formatFailures(failures)
 
@@ -434,119 +633,6 @@ func edeName(code uint16) string {
 	return fmt.Sprintf("EDE %d", code)
 }
 
-// ProbeAvailability tests all upstream servers simultaneously and
-// disables the resolver if none work
-func (u *upstreamResolverBase) ProbeAvailability(ctx context.Context) {
-	u.mutex.Lock()
-	defer u.mutex.Unlock()
-
-	// avoid probe if upstreams could resolve at least one query
-	if u.successCount.Load() > 0 {
-		return
-	}
-
-	var success bool
-	var mu sync.Mutex
-	var wg sync.WaitGroup
-
-	var errs *multierror.Error
-	for _, upstream := range u.upstreamServers {
-		wg.Add(1)
-		go func(upstream netip.AddrPort) {
-			defer wg.Done()
-			err := u.testNameserver(u.ctx, ctx, upstream, 500*time.Millisecond)
-			if err != nil {
-				mu.Lock()
-				errs = multierror.Append(errs, err)
-				mu.Unlock()
-				log.Warnf("probing upstream nameserver %s: %s", upstream, err)
-				return
-			}
-
-			mu.Lock()
-			success = true
-			mu.Unlock()
-		}(upstream)
-	}
-
-	wg.Wait()
-
-	select {
-	case <-ctx.Done():
-		return
-	case <-u.ctx.Done():
-		return
-	default:
-	}
-
-	// didn't find a working upstream server, let's disable and try later
-	if !success {
-		u.disable(errs.ErrorOrNil())
-
-		if u.statusRecorder == nil {
-			return
-		}
-
-		u.statusRecorder.PublishEvent(
-			proto.SystemEvent_WARNING,
-			proto.SystemEvent_DNS,
-			"All upstream servers failed (probe failed)",
-			"Unable to reach one or more DNS servers. This might affect your ability to connect to some services.",
-			map[string]string{"upstreams": u.upstreamServersString()},
-		)
-	}
-}
-
-// waitUntilResponse retries, in an exponential interval, querying the upstream servers until it gets a positive response
-func (u *upstreamResolverBase) waitUntilResponse() {
-	exponentialBackOff := &backoff.ExponentialBackOff{
-		InitialInterval:     500 * time.Millisecond,
-		RandomizationFactor: 0.5,
-		Multiplier:          1.1,
-		MaxInterval:         u.reactivatePeriod,
-		MaxElapsedTime:      0,
-		Stop:                backoff.Stop,
-		Clock:               backoff.SystemClock,
-	}
-
-	operation := func() error {
-		select {
-		case <-u.ctx.Done():
-			return backoff.Permanent(fmt.Errorf("exiting upstream retry loop for upstreams %s: parent context has been canceled", u.upstreamServersString()))
-		default:
-		}
-
-		for _, upstream := range u.upstreamServers {
-			if err := u.testNameserver(u.ctx, nil, upstream, probeTimeout); err != nil {
-				log.Tracef("upstream check for %s: %s", upstream, err)
-			} else {
-				// at least one upstream server is available, stop probing
-				return nil
-			}
-		}
-
-		log.Tracef("checking connectivity with upstreams %s failed. Retrying in %s", u.upstreamServersString(), exponentialBackOff.NextBackOff())
-		return fmt.Errorf("upstream check call error")
-	}
-
-	err := backoff.Retry(operation, backoff.WithContext(exponentialBackOff, u.ctx))
-	if err != nil {
-		if errors.Is(err, context.Canceled) {
-			log.Debugf("upstream retry loop exited for upstreams %s", u.upstreamServersString())
-		} else {
-			log.Warnf("upstream retry loop exited for upstreams %s: %v", u.upstreamServersString(), err)
-		}
-		return
-	}
-
-	log.Infof("upstreams %s are responsive again. Adding them back to system", u.upstreamServersString())
-	u.successCount.Add(1)
-	u.reactivate()
-	u.mutex.Lock()
-	u.disabled = false
-	u.mutex.Unlock()
-}
-
 // isTimeout returns true if the given error is a network timeout error.
 //
 // Copied from k8s.io/apimachinery/pkg/util/net.IsTimeout
@@ -558,45 +644,6 @@ func isTimeout(err error) bool {
 	return false
 }
 
-func (u *upstreamResolverBase) disable(err error) {
-	if u.disabled {
-		return
-	}
-
-	log.Warnf("Upstream resolving is Disabled for %v", reactivatePeriod)
-	u.successCount.Store(0)
-	u.deactivate(err)
-	u.disabled = true
-	u.wg.Add(1)
-	go func() {
-		defer u.wg.Done()
-		u.waitUntilResponse()
-	}()
-}
-
-func (u *upstreamResolverBase) upstreamServersString() string {
-	var servers []string
-	for _, server := range u.upstreamServers {
-		servers = append(servers, server.String())
-	}
-	return strings.Join(servers, ", ")
-}
-
-func (u *upstreamResolverBase) testNameserver(baseCtx context.Context, externalCtx context.Context, server netip.AddrPort, timeout time.Duration) error {
-	mergedCtx, cancel := context.WithTimeout(baseCtx, timeout)
-	defer cancel()
-
-	if externalCtx != nil {
-		stop2 := context.AfterFunc(externalCtx, cancel)
-		defer stop2()
-	}
-
-	r := new(dns.Msg).SetQuestion(testRecord, dns.TypeSOA)
-
-	_, _, err := u.upstreamClient.exchange(mergedCtx, server.String(), r)
-	return err
-}
-
 // clientUDPMaxSize returns the maximum UDP response size the client accepts.
 func clientUDPMaxSize(r *dns.Msg) int {
 	if opt := r.IsEdns0(); opt != nil {
@@ -608,13 +655,10 @@ func clientUDPMaxSize(r *dns.Msg) int {
 // ExchangeWithFallback exchanges a DNS message with the upstream server.
 // It first tries to use UDP, and if it is truncated, it falls back to TCP.
 // If the inbound request came over TCP (via context), it skips the UDP attempt.
-// If the passed context is nil, this will use Exchange instead of ExchangeContext.
 func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, upstream string) (*dns.Msg, time.Duration, error) {
 	// If the request came in over TCP, go straight to TCP upstream.
 	if dnsProtocolFromContext(ctx) == protoTCP {
-		tcpClient := *client
+		rm, t, err := toTCPClient(client).ExchangeContext(ctx, r, upstream)
-		tcpClient.Net = protoTCP
-		rm, t, err := tcpClient.ExchangeContext(ctx, r, upstream)
 		if err != nil {
 			return nil, t, fmt.Errorf("with tcp: %w", err)
 		}
@@ -634,18 +678,7 @@ func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, u
 		opt.SetUDPSize(maxUDPPayload)
 	}
 
-	var (
+	rm, t, err := client.ExchangeContext(ctx, r, upstream)
-		rm  *dns.Msg
-		t   time.Duration
-		err error
-	)
-
-	if ctx == nil {
-		rm, t, err = client.Exchange(r, upstream)
-	} else {
-		rm, t, err = client.ExchangeContext(ctx, r, upstream)
-	}
-
 	if err != nil {
 		return nil, t, fmt.Errorf("with udp: %w", err)
 	}
@@ -659,15 +692,7 @@ func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, u
 	// data than the client's buffer, we could truncate locally and skip
 	// the TCP retry.
 
-	tcpClient := *client
+	rm, t, err = toTCPClient(client).ExchangeContext(ctx, r, upstream)
-	tcpClient.Net = protoTCP
-
-	if ctx == nil {
-		rm, t, err = tcpClient.Exchange(r, upstream)
-	} else {
-		rm, t, err = tcpClient.ExchangeContext(ctx, r, upstream)
-	}
-
 	if err != nil {
 		return nil, t, fmt.Errorf("with tcp: %w", err)
 	}
@@ -681,6 +706,25 @@ func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, u
 	return rm, t, nil
 }
 
+// toTCPClient returns a copy of c configured for TCP. If c's Dialer has a
+// *net.UDPAddr bound as LocalAddr (iOS does this to keep the source IP on
+// the tunnel interface), it is converted to the equivalent *net.TCPAddr
+// so net.Dialer doesn't reject the TCP dial with "mismatched local
+// address type".
+func toTCPClient(c *dns.Client) *dns.Client {
+	tcp := *c
+	tcp.Net = protoTCP
+	if tcp.Dialer == nil {
+		return &tcp
+	}
+	d := *tcp.Dialer
+	if ua, ok := d.LocalAddr.(*net.UDPAddr); ok {
+		d.LocalAddr = &net.TCPAddr{IP: ua.IP, Port: ua.Port, Zone: ua.Zone}
+	}
+	tcp.Dialer = &d
+	return &tcp
+}
+
 // ExchangeWithNetstack performs a DNS exchange using netstack for dialing.
 // This is needed when netstack is enabled to reach peer IPs through the tunnel.
 func ExchangeWithNetstack(ctx context.Context, nsNet *netstack.Net, r *dns.Msg, upstream string) (*dns.Msg, error) {
@@ -822,15 +866,36 @@ func findPeerForIP(ip netip.Addr, statusRecorder *peer.Status) *peer.State {
 	return bestMatch
 }
 
-func (u *upstreamResolverBase) debugUpstreamTimeout(upstream netip.AddrPort) string {
+// haMapRouteCount returns the total number of routes across all HA
-	if u.statusRecorder == nil {
+// groups in the map. route.HAMap is keyed by HAUniqueID with slices of
-		return ""
+// routes per key, so len(hm) is the number of HA groups, not routes.
+func haMapRouteCount(hm route.HAMap) int {
+	total := 0
+	for _, routes := range hm {
+		total += len(routes)
 	}
-
+	return total
-	peerInfo := findPeerForIP(upstream.Addr(), u.statusRecorder)
+}
-	if peerInfo == nil {
+
-		return ""
+// haMapContains checks whether ip is covered by any concrete prefix in
-	}
+// the HA map. haveDynamic is reported separately: dynamic (domain-based)
-
+// routes carry a placeholder Network that can't be prefix-checked, so we
-	return fmt.Sprintf("(routes through NetBird peer %s)", FormatPeerStatus(peerInfo))
+// can't know at this point whether ip is reached through one. Callers
+// decide how to interpret the unknown: health projection treats it as
+// "possibly routed" to avoid emitting false-positive warnings during
+// startup, while iOS dial selection requires a concrete match before
+// binding to the tunnel.
+func haMapContains(hm route.HAMap, ip netip.Addr) (matched, haveDynamic bool) {
+	for _, routes := range hm {
+		for _, r := range routes {
+			if r.IsDynamic() {
+				haveDynamic = true
+				continue
+			}
+			if r.Network.Contains(ip) {
+				return true, haveDynamic
+			}
+		}
+	}
+	return false, haveDynamic
 }

client/internal/dns/upstream_android.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/internal/peer"
 	nbnet "github.com/netbirdio/netbird/client/net"
+	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
 type upstreamResolver struct {
@@ -26,9 +27,9 @@ func newUpstreamResolver(
 	_ WGIface,
 	statusRecorder *peer.Status,
 	hostsDNSHolder *hostsDNSHolder,
-	domain string,
+	d domain.Domain,
 ) (*upstreamResolver, error) {
-	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, domain)
+	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, d)
 	c := &upstreamResolver{
 		upstreamResolverBase: upstreamResolverBase,
 		hostsDNSHolder:       hostsDNSHolder,

client/internal/dns/upstream_general.go

@@ -12,6 +12,7 @@ import (
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
 type upstreamResolver struct {
@@ -24,9 +25,9 @@ func newUpstreamResolver(
 	wgIface WGIface,
 	statusRecorder *peer.Status,
 	_ *hostsDNSHolder,
-	domain string,
+	d domain.Domain,
 ) (*upstreamResolver, error) {
-	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, domain)
+	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, d)
 	nonIOS := &upstreamResolver{
 		upstreamResolverBase: upstreamResolverBase,
 		nsNet:                wgIface.GetNet(),

client/internal/dns/upstream_ios.go

@@ -15,6 +15,7 @@ import (
 	"golang.org/x/sys/unix"
 
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
 type upstreamResolverIOS struct {
@@ -27,9 +28,9 @@ func newUpstreamResolver(
 	wgIface WGIface,
 	statusRecorder *peer.Status,
 	_ *hostsDNSHolder,
-	domain string,
+	d domain.Domain,
 ) (*upstreamResolverIOS, error) {
-	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, domain)
+	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder, d)
 
 	ios := &upstreamResolverIOS{
 		upstreamResolverBase: upstreamResolverBase,
@@ -62,9 +63,16 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 		upstreamIP = upstreamIP.Unmap()
 	}
 	addr := u.wgIface.Address()
+	var routed bool
+	if u.selectedRoutes != nil {
+		// Only a concrete prefix match binds to the tunnel: dialing
+		// through a private client for an upstream we can't prove is
+		// routed would break public resolvers.
+		routed, _ = haMapContains(u.selectedRoutes(), upstreamIP)
+	}
 	needsPrivate := addr.Network.Contains(upstreamIP) ||
 		addr.IPv6Net.Contains(upstreamIP) ||
-		(u.routeMatch != nil && u.routeMatch(upstreamIP))
+		routed
 	if needsPrivate {
 		log.Debugf("using private client to query %s via upstream %s", r.Question[0].Name, upstream)
 		client, err = GetClientPrivate(u.wgIface, upstreamIP, timeout)
@@ -73,8 +81,7 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 		}
 	}
 
-	// Cannot use client.ExchangeContext because it overwrites our Dialer
+	return ExchangeWithFallback(ctx, client, r, upstream)
-	return ExchangeWithFallback(nil, client, r, upstream)
 }
 
 // GetClientPrivate returns a new DNS client bound to the local IP of the Netbird interface.

client/internal/dns/upstream_test.go

@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/netip"
 	"strings"
+	"sync/atomic"
 	"testing"
 	"time"
 
@@ -73,7 +74,7 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 					servers = append(servers, netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port()))
 				}
 			}
-			resolver.upstreamServers = servers
+			resolver.addRace(servers)
 			resolver.upstreamTimeout = testCase.timeout
 			if testCase.cancelCTX {
 				cancel()
@@ -132,20 +133,10 @@ func (m *mockNetstackProvider) GetInterfaceGUIDString() (string, error) {
 	return "", nil
 }
 
-type mockUpstreamResolver struct {
-	r   *dns.Msg
-	rtt time.Duration
-	err error
-}
-
-// exchange mock implementation of exchange from upstreamResolver
-func (c mockUpstreamResolver) exchange(_ context.Context, _ string, _ *dns.Msg) (*dns.Msg, time.Duration, error) {
-	return c.r, c.rtt, c.err
-}
-
 type mockUpstreamResponse struct {
-	msg *dns.Msg
+	msg   *dns.Msg
-	err error
+	err   error
+	delay time.Duration
 }
 
 type mockUpstreamResolverPerServer struct {
@@ -153,63 +144,19 @@ type mockUpstreamResolverPerServer struct {
 	rtt       time.Duration
 }
 
-func (c mockUpstreamResolverPerServer) exchange(_ context.Context, upstream string, _ *dns.Msg) (*dns.Msg, time.Duration, error) {
+func (c mockUpstreamResolverPerServer) exchange(ctx context.Context, upstream string, _ *dns.Msg) (*dns.Msg, time.Duration, error) {
-	if r, ok := c.responses[upstream]; ok {
+	r, ok := c.responses[upstream]
-		return r.msg, c.rtt, r.err
+	if !ok {
+		return nil, c.rtt, fmt.Errorf("no mock response for %s", upstream)
 	}
-	return nil, c.rtt, fmt.Errorf("no mock response for %s", upstream)
+	if r.delay > 0 {
-}
+		select {
-
+		case <-time.After(r.delay):
-func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
+		case <-ctx.Done():
-	mockClient := &mockUpstreamResolver{
+			return nil, c.rtt, ctx.Err()
-		err: dns.ErrTime,
+		}
-		r:   new(dns.Msg),
-		rtt: time.Millisecond,
-	}
-
-	resolver := &upstreamResolverBase{
-		ctx:              context.TODO(),
-		upstreamClient:   mockClient,
-		upstreamTimeout:  UpstreamTimeout,
-		reactivatePeriod: time.Microsecond * 100,
-	}
-	addrPort, _ := netip.ParseAddrPort("0.0.0.0:1") // Use valid port for parsing, test will still fail on connection
-	resolver.upstreamServers = []netip.AddrPort{netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port())}
-
-	failed := false
-	resolver.deactivate = func(error) {
-		failed = true
-		// After deactivation, make the mock client work again
-		mockClient.err = nil
-	}
-
-	reactivated := false
-	resolver.reactivate = func() {
-		reactivated = true
-	}
-
-	resolver.ProbeAvailability(context.TODO())
-
-	if !failed {
-		t.Errorf("expected that resolving was deactivated")
-		return
-	}
-
-	if !resolver.disabled {
-		t.Errorf("resolver should be Disabled")
-		return
-	}
-
-	time.Sleep(time.Millisecond * 200)
-
-	if !reactivated {
-		t.Errorf("expected that resolving was reactivated")
-		return
-	}
-
-	if resolver.disabled {
-		t.Errorf("should be enabled")
 	}
+	return r.msg, c.rtt, r.err
 }
 
 func TestUpstreamResolver_Failover(t *testing.T) {
@@ -339,9 +286,9 @@ func TestUpstreamResolver_Failover(t *testing.T) {
 			resolver := &upstreamResolverBase{
 				ctx:             ctx,
 				upstreamClient:  trackingClient,
-				upstreamServers: []netip.AddrPort{upstream1, upstream2},
 				upstreamTimeout: UpstreamTimeout,
 			}
+			resolver.addRace([]netip.AddrPort{upstream1, upstream2})
 
 			var responseMSG *dns.Msg
 			responseWriter := &test.MockResponseWriter{
@@ -421,9 +368,9 @@ func TestUpstreamResolver_SingleUpstreamFailure(t *testing.T) {
 	resolver := &upstreamResolverBase{
 		ctx:             ctx,
 		upstreamClient:  mockClient,
-		upstreamServers: []netip.AddrPort{upstream},
 		upstreamTimeout: UpstreamTimeout,
 	}
+	resolver.addRace([]netip.AddrPort{upstream})
 
 	var responseMSG *dns.Msg
 	responseWriter := &test.MockResponseWriter{
@@ -440,6 +387,136 @@ func TestUpstreamResolver_SingleUpstreamFailure(t *testing.T) {
 	assert.Equal(t, dns.RcodeServerFailure, responseMSG.Rcode, "single upstream SERVFAIL should return SERVFAIL")
 }
 
+// TestUpstreamResolver_RaceAcrossGroups covers two nameserver groups
+// configured for the same domain, with one broken group. The merge+race
+// path should answer as fast as the working group and not pay the timeout
+// of the broken one on every query.
+func TestUpstreamResolver_RaceAcrossGroups(t *testing.T) {
+	broken := netip.MustParseAddrPort("192.0.2.1:53")
+	working := netip.MustParseAddrPort("192.0.2.2:53")
+	successAnswer := "192.0.2.100"
+	timeoutErr := &net.OpError{Op: "read", Err: fmt.Errorf("i/o timeout")}
+
+	mockClient := &mockUpstreamResolverPerServer{
+		responses: map[string]mockUpstreamResponse{
+			// Force the broken upstream to only unblock via timeout /
+			// cancellation so the assertion below can't pass if races
+			// were run serially.
+			broken.String():  {err: timeoutErr, delay: 500 * time.Millisecond},
+			working.String(): {msg: buildMockResponse(dns.RcodeSuccess, successAnswer)},
+		},
+		rtt: time.Millisecond,
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	resolver := &upstreamResolverBase{
+		ctx:             ctx,
+		upstreamClient:  mockClient,
+		upstreamTimeout: 250 * time.Millisecond,
+	}
+	resolver.addRace([]netip.AddrPort{broken})
+	resolver.addRace([]netip.AddrPort{working})
+
+	var responseMSG *dns.Msg
+	responseWriter := &test.MockResponseWriter{
+		WriteMsgFunc: func(m *dns.Msg) error {
+			responseMSG = m
+			return nil
+		},
+	}
+
+	inputMSG := new(dns.Msg).SetQuestion("example.com.", dns.TypeA)
+	start := time.Now()
+	resolver.ServeDNS(responseWriter, inputMSG)
+	elapsed := time.Since(start)
+
+	require.NotNil(t, responseMSG, "should write a response")
+	assert.Equal(t, dns.RcodeSuccess, responseMSG.Rcode)
+	require.NotEmpty(t, responseMSG.Answer)
+	assert.Contains(t, responseMSG.Answer[0].String(), successAnswer)
+	// Working group answers in a single RTT; the broken group's
+	// timeout (100ms) must not block the response.
+	assert.Less(t, elapsed, 100*time.Millisecond, "race must not wait for broken group's timeout")
+}
+
+// TestUpstreamResolver_AllGroupsFail checks that when every group fails the
+// resolver returns SERVFAIL rather than leaking a partial response.
+func TestUpstreamResolver_AllGroupsFail(t *testing.T) {
+	a := netip.MustParseAddrPort("192.0.2.1:53")
+	b := netip.MustParseAddrPort("192.0.2.2:53")
+
+	mockClient := &mockUpstreamResolverPerServer{
+		responses: map[string]mockUpstreamResponse{
+			a.String(): {msg: buildMockResponse(dns.RcodeServerFailure, "")},
+			b.String(): {msg: buildMockResponse(dns.RcodeServerFailure, "")},
+		},
+		rtt: time.Millisecond,
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	resolver := &upstreamResolverBase{
+		ctx:             ctx,
+		upstreamClient:  mockClient,
+		upstreamTimeout: UpstreamTimeout,
+	}
+	resolver.addRace([]netip.AddrPort{a})
+	resolver.addRace([]netip.AddrPort{b})
+
+	var responseMSG *dns.Msg
+	responseWriter := &test.MockResponseWriter{
+		WriteMsgFunc: func(m *dns.Msg) error {
+			responseMSG = m
+			return nil
+		},
+	}
+
+	resolver.ServeDNS(responseWriter, new(dns.Msg).SetQuestion("example.com.", dns.TypeA))
+	require.NotNil(t, responseMSG)
+	assert.Equal(t, dns.RcodeServerFailure, responseMSG.Rcode)
+}
+
+// TestUpstreamResolver_HealthTracking verifies that query-path results are
+// recorded into per-upstream health, which is what projects back to
+// NSGroupState for status reporting.
+func TestUpstreamResolver_HealthTracking(t *testing.T) {
+	ok := netip.MustParseAddrPort("192.0.2.10:53")
+	bad := netip.MustParseAddrPort("192.0.2.11:53")
+
+	mockClient := &mockUpstreamResolverPerServer{
+		responses: map[string]mockUpstreamResponse{
+			ok.String():  {msg: buildMockResponse(dns.RcodeSuccess, "192.0.2.100")},
+			bad.String(): {msg: buildMockResponse(dns.RcodeServerFailure, "")},
+		},
+		rtt: time.Millisecond,
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	resolver := &upstreamResolverBase{
+		ctx:             ctx,
+		upstreamClient:  mockClient,
+		upstreamTimeout: UpstreamTimeout,
+	}
+	resolver.addRace([]netip.AddrPort{ok, bad})
+
+	responseWriter := &test.MockResponseWriter{WriteMsgFunc: func(m *dns.Msg) error { return nil }}
+	resolver.ServeDNS(responseWriter, new(dns.Msg).SetQuestion("example.com.", dns.TypeA))
+
+	health := resolver.UpstreamHealth()
+	require.Contains(t, health, ok)
+	assert.False(t, health[ok].LastOk.IsZero(), "ok upstream should have LastOk set")
+	assert.Empty(t, health[ok].LastErr)
+
+	// bad upstream was never tried because ok answered first; its health
+	// should remain unset.
+	assert.NotContains(t, health, bad, "sibling upstream should not be queried when primary answers")
+}
+
 func TestFormatFailures(t *testing.T) {
 	testCases := []struct {
 		name     string
@@ -665,10 +742,10 @@ func TestExchangeWithFallback_EDNS0Capped(t *testing.T) {
 	// Verify that a client EDNS0 larger than our MTU-derived limit gets
 	// capped in the outgoing request so the upstream doesn't send a
 	// response larger than our read buffer.
-	var receivedUDPSize uint16
+	var receivedUDPSize atomic.Uint32
 	udpHandler := dns.HandlerFunc(func(w dns.ResponseWriter, r *dns.Msg) {
 		if opt := r.IsEdns0(); opt != nil {
-			receivedUDPSize = opt.UDPSize()
+			receivedUDPSize.Store(uint32(opt.UDPSize()))
 		}
 		m := new(dns.Msg)
 		m.SetReply(r)
@@ -699,7 +776,7 @@ func TestExchangeWithFallback_EDNS0Capped(t *testing.T) {
 	require.NotNil(t, rm)
 
 	expectedMax := uint16(currentMTU - ipUDPHeaderSize)
-	assert.Equal(t, expectedMax, receivedUDPSize,
+	assert.Equal(t, expectedMax, uint16(receivedUDPSize.Load()),
 		"upstream should see capped EDNS0, not the client's 4096")
 }
 
@@ -874,7 +951,7 @@ func TestUpstreamResolver_NonRetryableEDEShortCircuits(t *testing.T) {
 	resolver := &upstreamResolverBase{
 		ctx:             ctx,
 		upstreamClient:  tracking,
-		upstreamServers: []netip.AddrPort{upstream1, upstream2},
+		upstreamServers: []upstreamRace{{upstream1, upstream2}},
 		upstreamTimeout: UpstreamTimeout,
 	}
 

client/internal/engine.go

@@ -512,16 +512,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 
 	e.routeManager.SetRouteChangeListener(e.mobileDep.NetworkChangeListener)
 
-	e.dnsServer.SetRouteChecker(func(ip netip.Addr) bool {
+	e.dnsServer.SetRouteSources(e.routeManager.GetSelectedClientRoutes, e.routeManager.GetActiveClientRoutes)
-		for _, routes := range e.routeManager.GetSelectedClientRoutes() {
-			for _, r := range routes {
-				if r.Network.Contains(ip) {
-					return true
-				}
-			}
-		}
-		return false
-	})
 
 	if err = e.wgInterfaceCreate(); err != nil {
 		log.Errorf("failed creating tunnel interface %s: [%s]", e.config.WgIfaceName, err.Error())
@@ -1386,9 +1377,6 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 
 	e.networkSerial = serial
 
-	// Test received (upstream) servers for availability right away instead of upon usage.
-	// If no server of a server group responds this will disable the respective handler and retry later.
-	go e.dnsServer.ProbeAvailability()
 	return nil
 }
 
@@ -1932,7 +1920,7 @@ func (e *Engine) newDnsServer(dnsConfig *nbdns.Config) (dns.Server, error) {
 		return dnsServer, nil
 
 	case "ios":
-		dnsServer := dns.NewDefaultServerIos(e.ctx, e.wgInterface, e.mobileDep.DnsManager, e.mobileDep.HostDNSAddresses, e.statusRecorder, e.config.DisableDNS)
+		dnsServer := dns.NewDefaultServerIos(e.ctx, e.wgInterface, e.mobileDep.DnsManager, e.statusRecorder, e.config.DisableDNS)
 		return dnsServer, nil
 
 	default:

client/internal/peer/status.go

@@ -217,14 +217,6 @@ type Status struct {
 	eventStreams map[string]chan *proto.SystemEvent
 	eventQueue   *EventQueue
 
-	// stateChangeStreams fan-out connection-state changes (connected /
-	// disconnected / connecting / address change / peers list change) to
-	// every active SubscribeStatus gRPC stream. Each subscriber gets a
-	// buffered chan; the notifier non-blockingly pings them so a slow
-	// consumer can never stall the daemon.
-	stateChangeMux     sync.Mutex
-	stateChangeStreams map[string]chan struct{}
-
 	ingressGwMgr *ingressgw.Manager
 
 	routeIDLookup routeIDLookup
@@ -238,7 +230,6 @@ func NewRecorder(mgmAddress string) *Status {
 		changeNotify:          make(map[string]map[string]*StatusChangeSubscription),
 		eventStreams:          make(map[string]chan *proto.SystemEvent),
 		eventQueue:            NewEventQueue(eventQueueSize),
-		stateChangeStreams:    make(map[string]chan struct{}),
 		offlinePeers:          make([]State, 0),
 		notifier:              newNotifier(),
 		mgmAddress:            mgmAddress,
@@ -369,7 +360,6 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 	if notifyRouter {
 		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
-	d.notifyStateChange()
 	return nil
 }
 
@@ -395,7 +385,6 @@ func (d *Status) AddPeerStateRoute(peer string, route string, resourceId route.R
 
 	// todo: consider to make sense of this notification or not
 	d.notifier.peerListChanged(numPeers)
-	d.notifyStateChange()
 	return nil
 }
 
@@ -421,7 +410,6 @@ func (d *Status) RemovePeerStateRoute(peer string, route string) error {
 
 	// todo: consider to make sense of this notification or not
 	d.notifier.peerListChanged(numPeers)
-	d.notifyStateChange()
 	return nil
 }
 
@@ -471,7 +459,6 @@ func (d *Status) UpdatePeerICEState(receivedState State) error {
 	if notifyRouter {
 		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
-	d.notifyStateChange()
 	return nil
 }
 
@@ -508,7 +495,6 @@ func (d *Status) UpdatePeerRelayedState(receivedState State) error {
 	if notifyRouter {
 		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
-	d.notifyStateChange()
 	return nil
 }
 
@@ -544,7 +530,6 @@ func (d *Status) UpdatePeerRelayedStateToDisconnected(receivedState State) error
 	if notifyRouter {
 		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
-	d.notifyStateChange()
 	return nil
 }
 
@@ -583,7 +568,6 @@ func (d *Status) UpdatePeerICEStateToDisconnected(receivedState State) error {
 	if notifyRouter {
 		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
 	}
-	d.notifyStateChange()
 	return nil
 }
 
@@ -677,7 +661,6 @@ func (d *Status) FinishPeerListModifications() {
 	for _, rd := range dispatches {
 		d.dispatchRouterPeers(rd.peerID, rd.snapshot)
 	}
-	d.notifyStateChange()
 }
 
 func (d *Status) SubscribeToPeerStateChanges(ctx context.Context, peerID string) *StatusChangeSubscription {
@@ -736,7 +719,6 @@ func (d *Status) UpdateLocalPeerState(localPeerState LocalPeerState) {
 	d.mux.Unlock()
 
 	d.notifier.localAddressChanged(fqdn, ip)
-	d.notifyStateChange()
 }
 
 // AddLocalPeerStateRoute adds a route to the local peer state
@@ -805,7 +787,6 @@ func (d *Status) CleanLocalPeerState() {
 	d.mux.Unlock()
 
 	d.notifier.localAddressChanged(fqdn, ip)
-	d.notifyStateChange()
 }
 
 // MarkManagementDisconnected sets ManagementState to disconnected
@@ -818,7 +799,6 @@ func (d *Status) MarkManagementDisconnected(err error) {
 	d.mux.Unlock()
 
 	d.notifier.updateServerStates(mgm, sig)
-	d.notifyStateChange()
 }
 
 // MarkManagementConnected sets ManagementState to connected
@@ -831,7 +811,6 @@ func (d *Status) MarkManagementConnected() {
 	d.mux.Unlock()
 
 	d.notifier.updateServerStates(mgm, sig)
-	d.notifyStateChange()
 }
 
 // UpdateSignalAddress update the address of the signal server
@@ -872,7 +851,6 @@ func (d *Status) MarkSignalDisconnected(err error) {
 	d.mux.Unlock()
 
 	d.notifier.updateServerStates(mgm, sig)
-	d.notifyStateChange()
 }
 
 // MarkSignalConnected sets SignalState to connected
@@ -885,7 +863,6 @@ func (d *Status) MarkSignalConnected() {
 	d.mux.Unlock()
 
 	d.notifier.updateServerStates(mgm, sig)
-	d.notifyStateChange()
 }
 
 func (d *Status) UpdateRelayStates(relayResults []relay.ProbeResult) {
@@ -1083,19 +1060,16 @@ func (d *Status) GetFullStatus() FullStatus {
 // ClientStart will notify all listeners about the new service state
 func (d *Status) ClientStart() {
 	d.notifier.clientStart()
-	d.notifyStateChange()
 }
 
 // ClientStop will notify all listeners about the new service state
 func (d *Status) ClientStop() {
 	d.notifier.clientStop()
-	d.notifyStateChange()
 }
 
 // ClientTeardown will notify all listeners about the service is under teardown
 func (d *Status) ClientTeardown() {
 	d.notifier.clientTearDown()
-	d.notifyStateChange()
 }
 
 // SetConnectionListener set a listener to the notifier
@@ -1237,50 +1211,6 @@ func (d *Status) GetEventHistory() []*proto.SystemEvent {
 	return d.eventQueue.GetAll()
 }
 
-// SubscribeToStateChanges hands back a channel that receives a tick on
-// every connection-state change (connected / disconnected / connecting /
-// address change / peers-list change). The channel is buffered to one
-// pending tick so a coalesced burst still wakes the consumer exactly
-// once. Pass the returned id to UnsubscribeFromStateChanges to detach.
-func (d *Status) SubscribeToStateChanges() (string, <-chan struct{}) {
-	d.stateChangeMux.Lock()
-	defer d.stateChangeMux.Unlock()
-
-	id := uuid.New().String()
-	ch := make(chan struct{}, 1)
-	d.stateChangeStreams[id] = ch
-	return id, ch
-}
-
-// UnsubscribeFromStateChanges releases a SubscribeToStateChanges channel
-// and closes it so any consumer goroutine selecting on the channel
-// unblocks cleanly.
-func (d *Status) UnsubscribeFromStateChanges(id string) {
-	d.stateChangeMux.Lock()
-	defer d.stateChangeMux.Unlock()
-
-	if ch, ok := d.stateChangeStreams[id]; ok {
-		close(ch)
-		delete(d.stateChangeStreams, id)
-	}
-}
-
-// notifyStateChange wakes every SubscribeToStateChanges subscriber. Drops
-// the tick if a subscriber's buffer is full — by definition the consumer
-// is already going to fetch the latest snapshot, so multiple pending ticks
-// would be redundant.
-func (d *Status) notifyStateChange() {
-	d.stateChangeMux.Lock()
-	defer d.stateChangeMux.Unlock()
-
-	for _, ch := range d.stateChangeStreams {
-		select {
-		case ch <- struct{}{}:
-		default:
-		}
-	}
-}
-
 func (d *Status) SetWgIface(wgInterface WGIfaceStatus) {
 	d.mux.Lock()
 	defer d.mux.Unlock()

client/internal/routemanager/manager.go

@@ -53,6 +53,7 @@ type Manager interface {
 	GetRouteSelector() *routeselector.RouteSelector
 	GetClientRoutes() route.HAMap
 	GetSelectedClientRoutes() route.HAMap
+	GetActiveClientRoutes() route.HAMap
 	GetClientRoutesWithNetID() map[route.NetID][]*route.Route
 	SetRouteChangeListener(listener listener.NetworkChangeListener)
 	InitialRouteRange() []string
@@ -485,6 +486,39 @@ func (m *DefaultManager) GetSelectedClientRoutes() route.HAMap {
 	return m.routeSelector.FilterSelectedExitNodes(maps.Clone(m.clientRoutes))
 }
 
+// GetActiveClientRoutes returns the subset of selected client routes
+// that are currently reachable: the route's peer is Connected and is
+// the one actively carrying the route (not just an HA sibling).
+func (m *DefaultManager) GetActiveClientRoutes() route.HAMap {
+	m.mux.Lock()
+	selected := m.routeSelector.FilterSelectedExitNodes(maps.Clone(m.clientRoutes))
+	recorder := m.statusRecorder
+	m.mux.Unlock()
+
+	if recorder == nil {
+		return selected
+	}
+
+	out := make(route.HAMap, len(selected))
+	for id, routes := range selected {
+		for _, r := range routes {
+			st, err := recorder.GetPeer(r.Peer)
+			if err != nil {
+				continue
+			}
+			if st.ConnStatus != peer.StatusConnected {
+				continue
+			}
+			if _, hasRoute := st.GetRoutes()[r.Network.String()]; !hasRoute {
+				continue
+			}
+			out[id] = routes
+			break
+		}
+	}
+	return out
+}
+
 // GetClientRoutesWithNetID returns the current routes from the route map, but the keys consist of the network ID only
 func (m *DefaultManager) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
 	m.mux.Lock()

client/internal/routemanager/mock.go

@@ -19,6 +19,7 @@ type MockManager struct {
 	GetRouteSelectorFunc         func() *routeselector.RouteSelector
 	GetClientRoutesFunc          func() route.HAMap
 	GetSelectedClientRoutesFunc  func() route.HAMap
+	GetActiveClientRoutesFunc    func() route.HAMap
 	GetClientRoutesWithNetIDFunc func() map[route.NetID][]*route.Route
 	StopFunc                     func(manager *statemanager.Manager)
 }
@@ -78,6 +79,14 @@ func (m *MockManager) GetSelectedClientRoutes() route.HAMap {
 	return nil
 }
 
+// GetActiveClientRoutes mock implementation of GetActiveClientRoutes from the Manager interface
+func (m *MockManager) GetActiveClientRoutes() route.HAMap {
+	if m.GetActiveClientRoutesFunc != nil {
+		return m.GetActiveClientRoutesFunc()
+	}
+	return nil
+}
+
 // GetClientRoutesWithNetID mock implementation of GetClientRoutesWithNetID from Manager interface
 func (m *MockManager) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
 	if m.GetClientRoutesWithNetIDFunc != nil {

client/internal/state.go

@@ -57,17 +57,6 @@ func (c *contextState) Status() (StatusType, error) {
 	return c.status, nil
 }
 
-// CurrentStatus returns the last status set via Set, ignoring any wrapped
-// error. Use when the status is needed for reporting purposes (e.g. the
-// status snapshot stream) and a transient wrapped error from a retry loop
-// shouldn't blank out the underlying status.
-func (c *contextState) CurrentStatus() StatusType {
-	c.mutex.Lock()
-	defer c.mutex.Unlock()
-
-	return c.status
-}
-
 func (c *contextState) Wrap(err error) error {
 	c.mutex.Lock()
 	defer c.mutex.Unlock()

client/ios/NetBirdSDK/client.go

@@ -162,11 +162,7 @@ func (c *Client) Run(fd int32, interfaceName string, envList *EnvList) error {
 	cfg.WgIface = interfaceName
 
 	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	hostDNS := []netip.AddrPort{
+	return c.connectClient.RunOniOS(fd, c.networkChangeListener, c.dnsManager, c.stateFile)
-		netip.MustParseAddrPort("9.9.9.9:53"),
-		netip.MustParseAddrPort("149.112.112.112:53"),
-	}
-	return c.connectClient.RunOniOS(fd, c.networkChangeListener, c.dnsManager, hostDNS, c.stateFile)
 }
 
 // Stop the internal client and free the resources

client/netbird.wxs

@@ -32,6 +32,9 @@
 					</File>
 					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\wintun.dll" />
 					<File Id="NetbirdToastIcon" Name="netbird.png" Source=".\client\ui\assets\netbird.png" />
+					<?if $(var.ArchSuffix) = "amd64" ?>
+					<File ProcessorArchitecture="$(var.ProcessorArchitecture)" Source=".\dist\netbird_windows_$(var.ArchSuffix)\opengl32.dll" />
+					<?endif ?>
 
 					<ServiceInstall
                                      Id="NetBirdService"
@@ -59,14 +62,6 @@
 			<Component Id="NetbirdAumidRegistry" Guid="*">
 				<RegistryKey Root="HKCU" Key="Software\Classes\AppUserModelId\NetBird" ForceDeleteOnUninstall="yes">
 					<RegistryValue Name="InstalledByMSI" Type="integer" Value="1" KeyPath="yes" />
-					<!-- Pre-seed the CLSID the Wails notifications service reads on
-					     first startup (notifications_windows.go:getGUID looks for
-					     the CustomActivator value under this key). Without this
-					     the service generates a fresh per-install UUID, which
-					     diverges from the ToastActivatorCLSID set on the Start
-					     Menu / Desktop shortcuts above and the COM activator
-					     never fires when a toast is clicked. -->
-					<RegistryValue Name="CustomActivator" Type="string" Value="{0E1B4DE7-E148-432B-9814-544F941826EC}" />
 				</RegistryKey>
 			</Component>
 		</StandardDirectory>
@@ -90,40 +85,10 @@
 		<util:CloseApplication Id="CloseNetBird" CloseMessage="no" Target="netbird.exe" RebootPrompt="no" />
 		<util:CloseApplication Id="CloseNetBirdUI" CloseMessage="no" Target="netbird-ui.exe" RebootPrompt="no" TerminateProcess="0" />
 
-		<!-- WebView2 evergreen runtime detection.
-		     Probe both the per-machine and per-user EdgeUpdate keys; if either
-		     reports a non-empty `pv` value the runtime is already installed
-		     and we skip the bootstrapper. -->
-		<Property Id="WEBVIEW2_VERSION_HKLM">
-			<RegistrySearch Id="WV2HKLM" Root="HKLM"
-				Key="SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\Clients\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}"
-				Name="pv" Type="raw" Bitness="always64" />
-		</Property>
-		<Property Id="WEBVIEW2_VERSION_HKCU">
-			<RegistrySearch Id="WV2HKCU" Root="HKCU"
-				Key="Software\Microsoft\EdgeUpdate\Clients\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}"
-				Name="pv" Type="raw" />
-		</Property>
 
-		<!-- Embed the bootstrapper payload. Path is relative to the WiX
-		     working directory; sign-pipelines stages it next to client/
-		     via `wails3 generate webview2bootstrapper`. -->
-		<Binary Id="WebView2Bootstrapper" SourceFile=".\client\MicrosoftEdgeWebview2Setup.exe" />
-
-		<CustomAction Id="InstallWebView2"
-			BinaryRef="WebView2Bootstrapper"
-			ExeCommand="/silent /install"
-			Execute="deferred"
-			Impersonate="no"
-			Return="check" />
-
-		<InstallExecuteSequence>
-			<Custom Action="InstallWebView2" Before="InstallFinalize"
-				Condition="NOT WEBVIEW2_VERSION_HKLM AND NOT WEBVIEW2_VERSION_HKCU AND NOT REMOVE" />
-		</InstallExecuteSequence>
 
 		<!-- Icons -->
-		<Icon Id="NetbirdIcon" SourceFile=".\client\ui\build\windows\icon.ico" />
+		<Icon Id="NetbirdIcon" SourceFile=".\client\ui\assets\netbird.ico" />
 		<Property Id="ARPPRODUCTICON" Value="NetbirdIcon" />
 
 	</Package>

client/proto/daemon.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.6
-// 	protoc        v7.34.1
+// 	protoc        v6.33.1
 // source: daemon.proto
 
 package proto
@@ -6773,13 +6773,12 @@ const file_daemon_proto_rawDesc = "" +
 	"\n" +
 	"EXPOSE_UDP\x10\x03\x12\x0e\n" +
 	"\n" +
-	"EXPOSE_TLS\x10\x042\xf5\x17\n" +
+	"EXPOSE_TLS\x10\x042\xaf\x17\n" +
 	"\rDaemonService\x126\n" +
 	"\x05Login\x12\x14.daemon.LoginRequest\x1a\x15.daemon.LoginResponse\"\x00\x12K\n" +
 	"\fWaitSSOLogin\x12\x1b.daemon.WaitSSOLoginRequest\x1a\x1c.daemon.WaitSSOLoginResponse\"\x00\x12-\n" +
 	"\x02Up\x12\x11.daemon.UpRequest\x1a\x12.daemon.UpResponse\"\x00\x129\n" +
-	"\x06Status\x12\x15.daemon.StatusRequest\x1a\x16.daemon.StatusResponse\"\x00\x12D\n" +
+	"\x06Status\x12\x15.daemon.StatusRequest\x1a\x16.daemon.StatusResponse\"\x00\x123\n" +
-	"\x0fSubscribeStatus\x12\x15.daemon.StatusRequest\x1a\x16.daemon.StatusResponse\"\x000\x01\x123\n" +
 	"\x04Down\x12\x13.daemon.DownRequest\x1a\x14.daemon.DownResponse\"\x00\x12B\n" +
 	"\tGetConfig\x12\x18.daemon.GetConfigRequest\x1a\x19.daemon.GetConfigResponse\"\x00\x12K\n" +
 	"\fListNetworks\x12\x1b.daemon.ListNetworksRequest\x1a\x1c.daemon.ListNetworksResponse\"\x00\x12Q\n" +
@@ -6980,84 +6979,82 @@ var file_daemon_proto_depIdxs = []int32{
 	7,   // 38: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
 	9,   // 39: daemon.DaemonService.Up:input_type -> daemon.UpRequest
 	11,  // 40: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
-	11,  // 41: daemon.DaemonService.SubscribeStatus:input_type -> daemon.StatusRequest
+	13,  // 41: daemon.DaemonService.Down:input_type -> daemon.DownRequest
-	13,  // 42: daemon.DaemonService.Down:input_type -> daemon.DownRequest
+	15,  // 42: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
-	15,  // 43: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
+	26,  // 43: daemon.DaemonService.ListNetworks:input_type -> daemon.ListNetworksRequest
-	26,  // 44: daemon.DaemonService.ListNetworks:input_type -> daemon.ListNetworksRequest
+	28,  // 44: daemon.DaemonService.SelectNetworks:input_type -> daemon.SelectNetworksRequest
-	28,  // 45: daemon.DaemonService.SelectNetworks:input_type -> daemon.SelectNetworksRequest
+	28,  // 45: daemon.DaemonService.DeselectNetworks:input_type -> daemon.SelectNetworksRequest
-	28,  // 46: daemon.DaemonService.DeselectNetworks:input_type -> daemon.SelectNetworksRequest
+	4,   // 46: daemon.DaemonService.ForwardingRules:input_type -> daemon.EmptyRequest
-	4,   // 47: daemon.DaemonService.ForwardingRules:input_type -> daemon.EmptyRequest
+	35,  // 47: daemon.DaemonService.DebugBundle:input_type -> daemon.DebugBundleRequest
-	35,  // 48: daemon.DaemonService.DebugBundle:input_type -> daemon.DebugBundleRequest
+	37,  // 48: daemon.DaemonService.GetLogLevel:input_type -> daemon.GetLogLevelRequest
-	37,  // 49: daemon.DaemonService.GetLogLevel:input_type -> daemon.GetLogLevelRequest
+	39,  // 49: daemon.DaemonService.SetLogLevel:input_type -> daemon.SetLogLevelRequest
-	39,  // 50: daemon.DaemonService.SetLogLevel:input_type -> daemon.SetLogLevelRequest
+	42,  // 50: daemon.DaemonService.ListStates:input_type -> daemon.ListStatesRequest
-	42,  // 51: daemon.DaemonService.ListStates:input_type -> daemon.ListStatesRequest
+	44,  // 51: daemon.DaemonService.CleanState:input_type -> daemon.CleanStateRequest
-	44,  // 52: daemon.DaemonService.CleanState:input_type -> daemon.CleanStateRequest
+	46,  // 52: daemon.DaemonService.DeleteState:input_type -> daemon.DeleteStateRequest
-	46,  // 53: daemon.DaemonService.DeleteState:input_type -> daemon.DeleteStateRequest
+	48,  // 53: daemon.DaemonService.SetSyncResponsePersistence:input_type -> daemon.SetSyncResponsePersistenceRequest
-	48,  // 54: daemon.DaemonService.SetSyncResponsePersistence:input_type -> daemon.SetSyncResponsePersistenceRequest
+	51,  // 54: daemon.DaemonService.TracePacket:input_type -> daemon.TracePacketRequest
-	51,  // 55: daemon.DaemonService.TracePacket:input_type -> daemon.TracePacketRequest
+	92,  // 55: daemon.DaemonService.StartCapture:input_type -> daemon.StartCaptureRequest
-	92,  // 56: daemon.DaemonService.StartCapture:input_type -> daemon.StartCaptureRequest
+	94,  // 56: daemon.DaemonService.StartBundleCapture:input_type -> daemon.StartBundleCaptureRequest
-	94,  // 57: daemon.DaemonService.StartBundleCapture:input_type -> daemon.StartBundleCaptureRequest
+	96,  // 57: daemon.DaemonService.StopBundleCapture:input_type -> daemon.StopBundleCaptureRequest
-	96,  // 58: daemon.DaemonService.StopBundleCapture:input_type -> daemon.StopBundleCaptureRequest
+	54,  // 58: daemon.DaemonService.SubscribeEvents:input_type -> daemon.SubscribeRequest
-	54,  // 59: daemon.DaemonService.SubscribeEvents:input_type -> daemon.SubscribeRequest
+	56,  // 59: daemon.DaemonService.GetEvents:input_type -> daemon.GetEventsRequest
-	56,  // 60: daemon.DaemonService.GetEvents:input_type -> daemon.GetEventsRequest
+	58,  // 60: daemon.DaemonService.SwitchProfile:input_type -> daemon.SwitchProfileRequest
-	58,  // 61: daemon.DaemonService.SwitchProfile:input_type -> daemon.SwitchProfileRequest
+	60,  // 61: daemon.DaemonService.SetConfig:input_type -> daemon.SetConfigRequest
-	60,  // 62: daemon.DaemonService.SetConfig:input_type -> daemon.SetConfigRequest
+	62,  // 62: daemon.DaemonService.AddProfile:input_type -> daemon.AddProfileRequest
-	62,  // 63: daemon.DaemonService.AddProfile:input_type -> daemon.AddProfileRequest
+	64,  // 63: daemon.DaemonService.RemoveProfile:input_type -> daemon.RemoveProfileRequest
-	64,  // 64: daemon.DaemonService.RemoveProfile:input_type -> daemon.RemoveProfileRequest
+	66,  // 64: daemon.DaemonService.ListProfiles:input_type -> daemon.ListProfilesRequest
-	66,  // 65: daemon.DaemonService.ListProfiles:input_type -> daemon.ListProfilesRequest
+	69,  // 65: daemon.DaemonService.GetActiveProfile:input_type -> daemon.GetActiveProfileRequest
-	69,  // 66: daemon.DaemonService.GetActiveProfile:input_type -> daemon.GetActiveProfileRequest
+	71,  // 66: daemon.DaemonService.Logout:input_type -> daemon.LogoutRequest
-	71,  // 67: daemon.DaemonService.Logout:input_type -> daemon.LogoutRequest
+	73,  // 67: daemon.DaemonService.GetFeatures:input_type -> daemon.GetFeaturesRequest
-	73,  // 68: daemon.DaemonService.GetFeatures:input_type -> daemon.GetFeaturesRequest
+	75,  // 68: daemon.DaemonService.TriggerUpdate:input_type -> daemon.TriggerUpdateRequest
-	75,  // 69: daemon.DaemonService.TriggerUpdate:input_type -> daemon.TriggerUpdateRequest
+	77,  // 69: daemon.DaemonService.GetPeerSSHHostKey:input_type -> daemon.GetPeerSSHHostKeyRequest
-	77,  // 70: daemon.DaemonService.GetPeerSSHHostKey:input_type -> daemon.GetPeerSSHHostKeyRequest
+	79,  // 70: daemon.DaemonService.RequestJWTAuth:input_type -> daemon.RequestJWTAuthRequest
-	79,  // 71: daemon.DaemonService.RequestJWTAuth:input_type -> daemon.RequestJWTAuthRequest
+	81,  // 71: daemon.DaemonService.WaitJWTToken:input_type -> daemon.WaitJWTTokenRequest
-	81,  // 72: daemon.DaemonService.WaitJWTToken:input_type -> daemon.WaitJWTTokenRequest
+	83,  // 72: daemon.DaemonService.StartCPUProfile:input_type -> daemon.StartCPUProfileRequest
-	83,  // 73: daemon.DaemonService.StartCPUProfile:input_type -> daemon.StartCPUProfileRequest
+	85,  // 73: daemon.DaemonService.StopCPUProfile:input_type -> daemon.StopCPUProfileRequest
-	85,  // 74: daemon.DaemonService.StopCPUProfile:input_type -> daemon.StopCPUProfileRequest
+	87,  // 74: daemon.DaemonService.GetInstallerResult:input_type -> daemon.InstallerResultRequest
-	87,  // 75: daemon.DaemonService.GetInstallerResult:input_type -> daemon.InstallerResultRequest
+	89,  // 75: daemon.DaemonService.ExposeService:input_type -> daemon.ExposeServiceRequest
-	89,  // 76: daemon.DaemonService.ExposeService:input_type -> daemon.ExposeServiceRequest
+	6,   // 76: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
-	6,   // 77: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
+	8,   // 77: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
-	8,   // 78: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
+	10,  // 78: daemon.DaemonService.Up:output_type -> daemon.UpResponse
-	10,  // 79: daemon.DaemonService.Up:output_type -> daemon.UpResponse
+	12,  // 79: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
-	12,  // 80: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
+	14,  // 80: daemon.DaemonService.Down:output_type -> daemon.DownResponse
-	12,  // 81: daemon.DaemonService.SubscribeStatus:output_type -> daemon.StatusResponse
+	16,  // 81: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
-	14,  // 82: daemon.DaemonService.Down:output_type -> daemon.DownResponse
+	27,  // 82: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
-	16,  // 83: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
+	29,  // 83: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
-	27,  // 84: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
+	29,  // 84: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
-	29,  // 85: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
+	34,  // 85: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
-	29,  // 86: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
+	36,  // 86: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
-	34,  // 87: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
+	38,  // 87: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
-	36,  // 88: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
+	40,  // 88: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
-	38,  // 89: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
+	43,  // 89: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
-	40,  // 90: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
+	45,  // 90: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
-	43,  // 91: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
+	47,  // 91: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
-	45,  // 92: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
+	49,  // 92: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
-	47,  // 93: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
+	53,  // 93: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
-	49,  // 94: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
+	93,  // 94: daemon.DaemonService.StartCapture:output_type -> daemon.CapturePacket
-	53,  // 95: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
+	95,  // 95: daemon.DaemonService.StartBundleCapture:output_type -> daemon.StartBundleCaptureResponse
-	93,  // 96: daemon.DaemonService.StartCapture:output_type -> daemon.CapturePacket
+	97,  // 96: daemon.DaemonService.StopBundleCapture:output_type -> daemon.StopBundleCaptureResponse
-	95,  // 97: daemon.DaemonService.StartBundleCapture:output_type -> daemon.StartBundleCaptureResponse
+	55,  // 97: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
-	97,  // 98: daemon.DaemonService.StopBundleCapture:output_type -> daemon.StopBundleCaptureResponse
+	57,  // 98: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
-	55,  // 99: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
+	59,  // 99: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
-	57,  // 100: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
+	61,  // 100: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
-	59,  // 101: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
+	63,  // 101: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
-	61,  // 102: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
+	65,  // 102: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
-	63,  // 103: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
+	67,  // 103: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
-	65,  // 104: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
+	70,  // 104: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
-	67,  // 105: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
+	72,  // 105: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
-	70,  // 106: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
+	74,  // 106: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
-	72,  // 107: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
+	76,  // 107: daemon.DaemonService.TriggerUpdate:output_type -> daemon.TriggerUpdateResponse
-	74,  // 108: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
+	78,  // 108: daemon.DaemonService.GetPeerSSHHostKey:output_type -> daemon.GetPeerSSHHostKeyResponse
-	76,  // 109: daemon.DaemonService.TriggerUpdate:output_type -> daemon.TriggerUpdateResponse
+	80,  // 109: daemon.DaemonService.RequestJWTAuth:output_type -> daemon.RequestJWTAuthResponse
-	78,  // 110: daemon.DaemonService.GetPeerSSHHostKey:output_type -> daemon.GetPeerSSHHostKeyResponse
+	82,  // 110: daemon.DaemonService.WaitJWTToken:output_type -> daemon.WaitJWTTokenResponse
-	80,  // 111: daemon.DaemonService.RequestJWTAuth:output_type -> daemon.RequestJWTAuthResponse
+	84,  // 111: daemon.DaemonService.StartCPUProfile:output_type -> daemon.StartCPUProfileResponse
-	82,  // 112: daemon.DaemonService.WaitJWTToken:output_type -> daemon.WaitJWTTokenResponse
+	86,  // 112: daemon.DaemonService.StopCPUProfile:output_type -> daemon.StopCPUProfileResponse
-	84,  // 113: daemon.DaemonService.StartCPUProfile:output_type -> daemon.StartCPUProfileResponse
+	88,  // 113: daemon.DaemonService.GetInstallerResult:output_type -> daemon.InstallerResultResponse
-	86,  // 114: daemon.DaemonService.StopCPUProfile:output_type -> daemon.StopCPUProfileResponse
+	90,  // 114: daemon.DaemonService.ExposeService:output_type -> daemon.ExposeServiceEvent
-	88,  // 115: daemon.DaemonService.GetInstallerResult:output_type -> daemon.InstallerResultResponse
+	76,  // [76:115] is the sub-list for method output_type
-	90,  // 116: daemon.DaemonService.ExposeService:output_type -> daemon.ExposeServiceEvent
+	37,  // [37:76] is the sub-list for method input_type
-	77,  // [77:117] is the sub-list for method output_type
-	37,  // [37:77] is the sub-list for method input_type
 	37,  // [37:37] is the sub-list for extension type_name
 	37,  // [37:37] is the sub-list for extension extendee
 	0,   // [0:37] is the sub-list for field type_name

client/proto/daemon.proto

@@ -24,12 +24,6 @@ service DaemonService {
   // Status of the service.
   rpc Status(StatusRequest) returns (StatusResponse) {}
 
-  // SubscribeStatus pushes a fresh StatusResponse on connection state
-  // changes (Connected / Disconnected / Connecting / address change /
-  // peers list change). The first message on the stream is the current
-  // snapshot, so a freshly-subscribed UI doesn't need to also call Status.
-  rpc SubscribeStatus(StatusRequest) returns (stream StatusResponse) {}
-
   // Down stops engine work in the daemon.
   rpc Down(DownRequest) returns (DownResponse) {}
 

client/server/server.go

@@ -258,15 +258,6 @@ func (s *Server) connectWithRetryRuns(ctx context.Context, profileConfig *profil
 	runOperation := func() error {
 		err := s.connect(ctx, profileConfig, statusRecorder, runningChan)
 		if err != nil {
-			// PermissionDenied means the daemon transitioned to NeedsLogin
-			// inside connect(). Without backoff.Permanent the outer retry
-			// re-enters connect(), which resets the state to Connecting and
-			// makes the tray flicker between NeedsLogin and Connecting until
-			// the user logs in. Stop retrying and let the state stick.
-			if s, ok := gstatus.FromError(err); ok && s.Code() == codes.PermissionDenied {
-				log.Debugf("run client connection exited with PermissionDenied, waiting for login")
-				return backoff.Permanent(err)
-			}
 			log.Debugf("run client connection exited with error: %v. Will retry in the background", err)
 			return err
 		}
@@ -350,7 +341,9 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 	}
 
 	if msg.OptionalPreSharedKey != nil {
-		config.PreSharedKey = msg.OptionalPreSharedKey
+		if *msg.OptionalPreSharedKey != "" {
+			config.PreSharedKey = msg.OptionalPreSharedKey
+		}
 	}
 
 	if msg.CleanDNSLabels {
@@ -846,6 +839,9 @@ func (s *Server) Down(ctx context.Context, _ *proto.DownRequest) (*proto.DownRes
 		return nil, err
 	}
 
+	state := internal.CtxGetState(s.rootCtx)
+	state.Set(internal.StatusIdle)
+
 	s.mutex.Unlock()
 
 	// Wait for the connectWithRetryRuns goroutine to finish with a short timeout.
@@ -860,12 +856,6 @@ func (s *Server) Down(ctx context.Context, _ *proto.DownRequest) (*proto.DownRes
 		}
 	}
 
-	// Set Idle only after the retry goroutine has exited (or timed out).
-	// Setting it earlier races with the goroutine's own Set(StatusConnecting)
-	// at the top of each retry attempt, which would leave the snapshot
-	// stuck at Connecting long after the user asked to disconnect.
-	internal.CtxGetState(s.rootCtx).Set(internal.StatusIdle)
-
 	return &proto.DownResponse{}, nil
 }
 
@@ -1119,23 +1109,9 @@ func (s *Server) Status(
 		}
 	}
 
-	return s.buildStatusResponse(msg)
+	status, err := internal.CtxGetState(s.rootCtx).Status()
-}
-
-// buildStatusResponse composes a StatusResponse from the current daemon
-// state. Shared between the unary Status RPC and the SubscribeStatus
-// stream so both paths return identical snapshots.
-func (s *Server) buildStatusResponse(msg *proto.StatusRequest) (*proto.StatusResponse, error) {
-	state := internal.CtxGetState(s.rootCtx)
-	status, err := state.Status()
 	if err != nil {
-		// state.Status() blanks the status when err is set (e.g. management
+		return nil, err
-		// retry loop wrapped a connection error). The underlying status is
-		// still meaningful and the failure is already surfaced via
-		// FullStatus.ManagementState.Error, so don't propagate err — that
-		// would tear down the SubscribeStatus stream and cause the UI to
-		// mark the daemon as unreachable on every retry.
-		status = state.CurrentStatus()
 	}
 
 	if status == internal.StatusNeedsLogin && s.isSessionActive.Load() {

client/server/status_stream.go

@@ -1,57 +0,0 @@
-package server
-
-import (
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-// SubscribeStatus pushes a fresh StatusResponse on every connection state
-// change. The first message is the current snapshot, so a re-subscribing
-// client doesn't need to also call Status. Subsequent messages fire when
-// the peer recorder reports any of: connected/disconnected/connecting,
-// management or signal flip, address change, or peers list change.
-//
-// The change channel coalesces bursts to a single tick. If the consumer
-// is slow the daemon drops extras (not blocks), and the next snapshot
-// the consumer pulls already reflects everything.
-func (s *Server) SubscribeStatus(req *proto.StatusRequest, stream proto.DaemonService_SubscribeStatusServer) error {
-	subID, ch := s.statusRecorder.SubscribeToStateChanges()
-	defer func() {
-		s.statusRecorder.UnsubscribeFromStateChanges(subID)
-		log.Debug("client unsubscribed from status updates")
-	}()
-
-	log.Debug("client subscribed to status updates")
-
-	if err := s.sendStatusSnapshot(req, stream); err != nil {
-		return err
-	}
-
-	for {
-		select {
-		case _, ok := <-ch:
-			if !ok {
-				return nil
-			}
-			if err := s.sendStatusSnapshot(req, stream); err != nil {
-				return err
-			}
-		case <-stream.Context().Done():
-			return nil
-		}
-	}
-}
-
-func (s *Server) sendStatusSnapshot(req *proto.StatusRequest, stream proto.DaemonService_SubscribeStatusServer) error {
-	resp, err := s.buildStatusResponse(req)
-	if err != nil {
-		log.Warnf("build status snapshot for stream: %v", err)
-		return err
-	}
-	if err := stream.Send(resp); err != nil {
-		log.Warnf("send status snapshot to stream: %v", err)
-		return err
-	}
-	return nil
-}

client/ui/.gitignore

@@ -1,8 +0,0 @@
-.task
-bin
-frontend/dist
-frontend/node_modules
-frontend/bindings
-frontend/.vite
-build/linux/appimage/build
-build/windows/nsis/MicrosoftEdgeWebview2Setup.exe

client/ui/CLAUDE.md

@@ -1,134 +0,0 @@
-# NetBird Wails UI — Working Notes
-
-This is the Wails v3 desktop UI for NetBird. Go services live in `services/`; the React/TS frontend lives in `frontend/`; bindings between them are generated under `frontend/bindings/`.
-
-## Layout
-- `main.go`, `tray*.go`, `grpc.go` — app entry, system tray, daemon gRPC client.
-- `services/*.go` — typed Wails services exposed to JS (`Profiles`, `Settings`, `Networks`, `Peers`, `Connection`, `Debug`, `Update`, `Forwarding`). Each method becomes a TS function in `frontend/bindings/.../services/`.
-- `frontend/bindings/**` — generated, do not edit by hand. Regen via `wails3 generate bindings -clean=true -ts` (from this dir). Triggered by Go code changes.
-- `frontend/src/` — React app. Route table is `app.tsx`. App shell is `layouts/AppLayout.tsx`; context providers live under `modules/*/Context.tsx`.
-
-## Daemon proto
-- Proto source: `../proto/daemon.proto`. Generated Go in `../proto/*.pb.go`.
-- Regen: `cd ../proto && protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative daemon.proto`
-- Pinned versions (see `daemon.pb.go` header): `protoc v7.34.1`, `protoc-gen-go v1.36.6`. CI's `proto-version-check` workflow fails on mismatch.
-- After proto regen, also regen Wails bindings so the TS layer picks up new fields.
-
-## Wails Dialogs (frontend, `@wailsio/runtime`)
-
-The frontend dialog API lives in `@wailsio/runtime` as `Dialogs`. Authoritative signatures are in
-`frontend/node_modules/@wailsio/runtime/types/dialogs.d.ts`.
-
-### Message dialogs
-
-```ts
-import { Dialogs } from "@wailsio/runtime";
-
-await Dialogs.Info({ Title, Message, Buttons?, Detached? });
-await Dialogs.Warning({ Title, Message, Buttons?, Detached? });
-await Dialogs.Error({ Title, Message, Buttons?, Detached? });
-await Dialogs.Question({ Title, Message, Buttons?, Detached? });
-```
-
-All four return `Promise<string>` resolving to the **Label** of the button the user clicked. With no `Buttons` provided you get a single OK button — the promise just resolves when the user dismisses.
-
-`MessageDialogOptions` fields:
-- `Title?: string` — window title (short).
-- `Message?: string` — the body text.
-- `Buttons?: Button[]` — custom buttons. Each `Button` is `{ Label?, IsCancel?, IsDefault? }`. `IsCancel` is what Esc/⌘. triggers; `IsDefault` is what Enter triggers.
-- `Detached?: boolean` — when `true`, the dialog isn't tied to the parent window (no sheet behavior on macOS).
-
-### File dialogs
-
-`Dialogs.OpenFile(options)` and `Dialogs.SaveFile(options)` — see `dialogs.d.ts` for the full `OpenFileDialogOptions` / `SaveFileDialogOptions` field set (filters, ButtonText, multi-select, hidden files, alias resolution, directory mode, etc).
-
-### Per-OS behavior
-
-| Platform | Behavior |
-|---|---|
-| **macOS** | Sheet-style when attached to a parent window. Up to ~4 custom buttons render naturally. Keyboard: Enter = default, ⌘. or Esc = cancel. Follows system theme. Accessibility is built-in. |
-| **Windows** | Modal `TaskDialog`-style. Standard button labels are nudged toward OS conventions. Keyboard: Enter = default, Esc = cancel. Follows system theme. |
-| **Linux** | GTK dialogs — appearance varies by desktop environment (GNOME/KDE). Follows desktop theme. Standard keyboard nav. |
-
-Behavioural notes that affect us:
-- The promise resolves with the **button label string**, not an index. Compare against the literal `Label` you passed (e.g. `if (result !== "Delete") return;`).
-- `Buttons[]` on Linux/Windows uses the labels you supply, but the OS layout/styling is fixed.
-- `Dialogs.Error` plays the platform error sound and uses the platform error icon. Don't use it for confirmations — use `Dialogs.Warning` or `Dialogs.Question`.
-- Don't fire dialogs in a tight loop or from every keystroke — they interrupt focus and (on macOS) animate in/out. Debounce or guard with a `busy` flag.
-
-### Custom dialogs (frameless child windows)
-
-When the native API isn't enough (rich content, form layout, complex validation), open a regular Wails window with dialog-like options. This is done on the **Go side** — `app.Window.NewWithOptions(application.WebviewWindowOptions{...})`. Key options:
-- `Parent` — attach to a parent so OS treats it as a child.
-- `AlwaysOnTop: true` — float above the parent.
-- `Frameless: true` — no titlebar/chrome.
-- `Resizable: false` — fixed-size dialog feel.
-- `Hidden: true` initially, then `dialog.Show()` + `dialog.SetFocus()`.
-
-Modal behavior is achieved by calling `parent.SetEnabled(false)` and restoring with `parent.SetEnabled(true)` in `dialog.OnClose`. Communicate results via Wails events (`app.Event.On(...)`, `Events.Emit(...)` on the frontend) or a Go channel.
-
-We are **not currently using custom dialogs** in this repo — the in-app modals (`NewProfileDialog`, etc.) are Radix `Dialog` primitives inside the main webview, which is fine for most flows. Reach for a custom OS window only when content must escape the main window (e.g. a separate auth window) or when modality across windows matters.
-
-## Conventions in this codebase
-
-### Errors → native dialogs
-
-We surface user-actionable errors via `Dialogs.Error` rather than red inline text. This started with the profile selector and applies broadly to operation failures (config save, profile switch, debug bundle, update, etc.).
-
-Pattern:
-```ts
-try {
-    await SomeSvc.Operation(...);
-} catch (e) {
-    await Dialogs.Error({
-        Title: "Operation Failed",  // short, action-named
-        Message: e instanceof Error ? e.message : String(e),
-    });
-}
-```
-
-Title rules:
-- Action-named, short: "Switch Profile Failed", "Save Settings Failed", "Debug Bundle Failed".
-- Not "Error" / "Something went wrong" — the dialog already says that visually.
-
-When **not** to use a native dialog:
-- **Form validation** (`Input.tsx`, URL-format checks, etc.) — inline next to the field. Native dialogs are too heavy for keystroke-driven feedback.
-- **Status/result chrome on a dedicated screen** — e.g. the `/update` and `/login` pages can show a brief "Update failed" header *in addition to* the dialog, so the screen isn't blank after dismissal.
-- **Transient link errors on the dashboard** (e.g. `link.error` on a management/signal card) — these flap in/out as the daemon recovers; an inline indicator is more appropriate than a dialog.
-- **Result notifications inside a success flow** — e.g. "bundle saved but upload failed" can stay inline since the operation otherwise succeeded.
-
-### Confirmations
-Use `Dialogs.Warning` with explicit `Buttons`:
-```ts
-const r = await Dialogs.Warning({
-    Title: "Delete Profile",
-    Message: `Are you sure you want to delete "${name}"?`,
-    Buttons: [
-        { Label: "Cancel", IsCancel: true },
-        { Label: "Delete", IsDefault: true },
-    ],
-});
-if (r !== "Delete") return;
-```
-Compare against the **Label string** returned, not an index.
-
-### Bindings & types
-Always import generated bindings from `@bindings/services` and types from `@bindings/services/models.js`. The path alias is set up in `tsconfig.json` / `vite.config.ts`.
-
-After editing any `services/*.go` (or the underlying proto), regenerate:
-```
-wails3 generate bindings -clean=true -ts
-```
-
-### Profile context
-`modules/profile/ProfileContext.tsx` is the single source of truth for `username`, `activeProfile`, and the `profiles` list. It exposes `switchProfile`, `addProfile`, `removeProfile`, `logoutProfile`, and `refresh`. `switchProfile` mirrors `tray.go`: it always issues `Profiles.Switch`, but only calls `Connection.Down` + `Connection.Up` when the daemon was actively online (status `Connected`/`Connecting`). Calling `Up` on an `Idle`/`NeedsLogin` daemon makes it block on the daemon's internal 50s `waitForUp` and return `DeadlineExceeded`. Callers shouldn't bring the connection up themselves.
-
-## Build / dev tasks
-- `task dev` — Wails dev mode (live reload).
-- `task build` — production build for the current OS (Taskfile dispatches to `darwin/`, `linux/`, `windows/`).
-- `task generate:bindings` does not exist as a top-level alias — run `wails3 generate bindings -clean=true -ts` directly from this directory.
-
-## Useful references
-- Wails v3 dialog docs: https://v3.wails.io/features/dialogs/message/ and https://v3.wails.io/features/dialogs/custom/ (may 403 from some clients).
-- Authoritative TS signatures: `frontend/node_modules/@wailsio/runtime/types/dialogs.d.ts`.
-- Wails examples: https://github.com/wailsapp/wails/tree/master/v3/examples/dialogs

client/ui/README.md

@@ -1,100 +0,0 @@
-# NetBird desktop UI (Wails3 + React)
-
-Replaces `client/ui` (Fyne). One binary on Windows / macOS / Linux,
-talks to the NetBird daemon over gRPC, renders a React frontend in a
-WebView.
-
-## Prerequisites
-
-- Go ≥ 1.25, Node ≥ 20, **pnpm** (`corepack enable && corepack prepare pnpm@latest --activate`)
-- `wails3` CLI: `go install github.com/wailsapp/wails/v3/cmd/wails3@latest`
-- `task`: `go install github.com/go-task/task/v3/cmd/task@latest`
-- A running NetBird daemon (default: `unix:///var/run/netbird.sock`,
-  Windows `tcp://127.0.0.1:41731`)
-- Linux only: `libwebkit2gtk-4.1-dev`, `libgtk-3-dev`,
-  `libayatana-appindicator3-dev`
-
-## Develop without rebuilding
-
-```bash
-cd client/ui
-task dev
-```
-
-`task dev` runs Vite (port 9245) + the Go binary + a `*.go` watcher.
-Frontend edits hot-reload instantly. Go edits trigger a rebuild and
-relaunch. Pass daemon flags after `--`:
-
-```bash
-task dev -- --daemon-addr=tcp://127.0.0.1:41731
-```
-
-For pure UI work (no native window, fastest loop):
-
-```bash
-cd frontend && pnpm dev
-```
-
-## Production build
-
-```bash
-task build
-```
-
-Output in `bin/`. Frontend assets are embedded into the binary.
-
-### Cross-compile Windows from Linux
-
-Install the mingw-w64 toolchain once:
-
-```bash
-sudo apt install gcc-mingw-w64-x86-64           # Debian/Ubuntu
-sudo dnf install mingw64-gcc                    # Fedora
-sudo pacman -S mingw-w64-gcc                    # Arch
-```
-
-Then:
-
-```bash
-CGO_ENABLED=1 task windows:build
-```
-
-Produces `bin/netbird-ui.exe`. macOS cross-compile from Linux is not
-supported (signing and notarization need a real Mac).
-
-### Windows console build (logs in the terminal)
-
-Default `windows:build` links the binary as a Windows GUI app, which
-detaches from the launching console — `logrus` output, `fmt.Println`,
-and panics go nowhere visible. To debug tray/event/daemon issues:
-
-```bash
-CGO_ENABLED=1 task windows:build:console
-```
-
-Produces `bin/netbird-ui-console.exe`. Run it from `cmd.exe` /
-PowerShell / Windows Terminal and stdout/stderr land in that
-terminal. Same flag works on a native Windows build (drop the
-`CGO_ENABLED=1` if your toolchain already has it set).
-
-## Regenerating bindings
-
-When a Go service signature changes:
-
-```bash
-wails3 generate bindings
-```
-
-`task dev` does this automatically on `*.go` save.
-
-## Tray icons
-
-Source SVGs live in `assets/svg/` (state.svg + state-macos.svg). After editing
-any SVG, rasterize to the PNGs the Go side embeds:
-
-```bash
-task common:generate:tray:icons
-```
-
-Requires Inkscape. Commit the resulting `assets/*.png` files alongside the
-SVG change so CI doesn't need Inkscape installed.

client/ui/Taskfile.yml

@@ -1,58 +0,0 @@
-version: '3'
-
-includes:
-  common: ./build/Taskfile.yml
-  windows: ./build/windows/Taskfile.yml
-  darwin: ./build/darwin/Taskfile.yml
-  linux: ./build/linux/Taskfile.yml
-
-vars:
-  APP_NAME: "netbird-ui"
-  BIN_DIR: "bin"
-  VITE_PORT: '{{.WAILS_VITE_PORT | default 9245}}'
-
-tasks:
-  build:
-    summary: Builds the application
-    cmds:
-      - task: "{{OS}}:build"
-
-  package:
-    summary: Packages a production build of the application
-    cmds:
-      - task: "{{OS}}:package"
-
-  run:
-    summary: Runs the application
-    cmds:
-      - task: "{{OS}}:run"
-
-  dev:
-    summary: Runs the application in development mode
-    cmds:
-      - wails3 dev -config ./build/config.yml -port {{.VITE_PORT}}
-
-  setup:docker:
-    summary: Builds Docker image for cross-compilation (~800MB download)
-    cmds:
-      - task: common:setup:docker
-
-  build:server:
-    summary: Builds the application in server mode (no GUI, HTTP server only)
-    cmds:
-      - task: common:build:server
-
-  run:server:
-    summary: Runs the application in server mode
-    cmds:
-      - task: common:run:server
-
-  build:docker:
-    summary: Builds a Docker image for server mode deployment
-    cmds:
-      - task: common:build:docker
-
-  run:docker:
-    summary: Builds and runs the Docker image
-    cmds:
-      - task: common:run:docker

client/ui/assets/svg/needs-login.svg

@@ -1,10 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" fill="none">
-  <g transform="translate(0.5 4.5) scale(1.0)" opacity="0.7">
-    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z" fill="#F68330"/>
-    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z" fill="#F68330"/>
-    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727" fill="#F05252"/>
-  </g>
-  <circle cx="25" cy="25" r="7" fill="white"/>
-  <path d="M 22.6 24.5 v -1.4 a 2.4 2.4 0 0 1 4.8 0 v 1.4" fill="none" stroke="#D97706" stroke-width="1.5" stroke-linecap="round"/>
-  <rect x="21.6" y="24.5" width="6.8" height="4.9" rx="0.9" fill="none" stroke="#D97706" stroke-width="1.5"/>
-</svg>

client/ui/build/Taskfile.yml

@@ -1,295 +0,0 @@
-version: '3'
-
-tasks:
-  go:mod:tidy:
-    summary: Runs `go mod tidy`
-    internal: true
-    cmds:
-      - go mod tidy
-
-  install:frontend:deps:
-    summary: Install frontend dependencies
-    dir: frontend
-    sources:
-      - package.json
-      - pnpm-lock.yaml
-    generates:
-      - node_modules
-    preconditions:
-      - sh: pnpm --version
-        msg: "Looks like pnpm isn't installed. Install with: corepack enable && corepack prepare pnpm@latest --activate"
-    cmds:
-      - pnpm install
-
-  build:frontend:
-    label: build:frontend (DEV={{.DEV}})
-    summary: Build the frontend project
-    dir: frontend
-    sources:
-      - "**/*"
-      - exclude: node_modules/**/*
-    generates:
-      - dist/**/*
-    deps:
-      - task: install:frontend:deps
-      - task: generate:bindings
-        vars:
-          BUILD_FLAGS:
-            ref: .BUILD_FLAGS
-    cmds:
-      - pnpm run {{.BUILD_COMMAND}}
-    env:
-      PRODUCTION: '{{if eq .DEV "true"}}false{{else}}true{{end}}'
-    vars:
-      BUILD_COMMAND: '{{if eq .DEV "true"}}build:dev{{else}}build{{end}}'
-
-
-  frontend:vendor:puppertino:
-    summary: Fetches Puppertino CSS into frontend/public for consistent mobile styling
-    sources:
-      - frontend/public/puppertino/puppertino.css
-    generates:
-      - frontend/public/puppertino/puppertino.css
-    cmds:
-      - |
-        set -euo pipefail
-        mkdir -p frontend/public/puppertino
-        # If bundled Puppertino exists, prefer it. Otherwise, try to fetch, but don't fail build on error.
-        if [ ! -f frontend/public/puppertino/puppertino.css ]; then
-          echo "No bundled Puppertino found. Attempting to fetch from GitHub..."
-          if curl -fsSL https://raw.githubusercontent.com/codedgar/Puppertino/main/dist/css/full.css -o frontend/public/puppertino/puppertino.css; then
-            curl -fsSL https://raw.githubusercontent.com/codedgar/Puppertino/main/LICENSE -o frontend/public/puppertino/LICENSE || true
-            echo "Puppertino CSS downloaded to frontend/public/puppertino/puppertino.css"
-          else
-            echo "Warning: Could not fetch Puppertino CSS. Proceeding without download since template may bundle it."
-          fi
-        else
-          echo "Using bundled Puppertino at frontend/public/puppertino/puppertino.css"
-        fi
-        # Ensure index.html includes Puppertino CSS and button classes
-        INDEX_HTML=frontend/index.html
-        if [ -f "$INDEX_HTML" ]; then
-          if ! grep -q 'href="/puppertino/puppertino.css"' "$INDEX_HTML"; then
-            # Insert Puppertino link tag after style.css link
-            awk '
-              /href="\/style.css"\/?/ && !x { print; print "    <link rel=\"stylesheet\" href=\"/puppertino/puppertino.css\"/>"; x=1; next }1
-            ' "$INDEX_HTML" > "$INDEX_HTML.tmp" && mv "$INDEX_HTML.tmp" "$INDEX_HTML"
-          fi
-          # Replace default .btn with Puppertino primary button classes if present
-          sed -E -i'' 's/class=\"btn\"/class=\"p-btn p-prim-col\"/g' "$INDEX_HTML" || true
-        fi
-
-
-  generate:bindings:
-    label: generate:bindings (BUILD_FLAGS={{.BUILD_FLAGS}})
-    summary: Generates bindings for the frontend
-    deps:
-      - task: go:mod:tidy
-    sources:
-      - "**/*.[jt]s"
-      - exclude: frontend/**/*
-      - frontend/bindings/**/*  # Rerun when switching between dev/production mode causes changes in output
-      - "**/*.go"
-      - go.mod
-      - go.sum
-    generates:
-      - frontend/bindings/**/*
-    cmds:
-      - wails3 generate bindings -f '{{.BUILD_FLAGS}}' -clean=true -ts
-
-  generate:icons:
-    summary: Generates Windows `.ico` and Mac `.icns` from an image; on macOS, `-iconcomposerinput appicon.icon -macassetdir darwin` also produces `Assets.car` from a `.icon` file (skipped on other platforms).
-    dir: build
-    sources:
-      - "appicon.png"
-      - "appicon.icon"
-    generates:
-      - "darwin/icons.icns"
-      - "windows/icon.ico"
-    cmds:
-      - wails3 generate icons -input appicon.png -macfilename darwin/icons.icns -windowsfilename windows/icon.ico -iconcomposerinput appicon.icon -macassetdir darwin
-
-  generate:tray:icons:
-    summary: Rebuild Windows multi-res .ico files from the per-state PNGs.
-    desc: |
-      The colored tray PNGs (assets/netbird-systemtray-<state>.png) and the
-      macOS template variants are committed to the repo as the canonical
-      source. This task only regenerates the Windows multi-resolution .ico
-      files from those PNGs by downscaling each to 16/24/32/48 px and
-      packing them with icotool, so Shell_NotifyIcon picks the frame
-      matching the user's DPI instead of downscaling a single large PNG.
-
-      Run after replacing any of the colored PNGs (e.g. when copying a new
-      version of the icons from client/ui/assets). The SVG sources in
-      assets/svg/ are kept for reference but are not built by default.
-    dir: assets
-    sources:
-      - "netbird-systemtray-connected.png"
-      - "netbird-systemtray-disconnected.png"
-      - "netbird-systemtray-connecting.png"
-      - "netbird-systemtray-error.png"
-      - "netbird-systemtray-update-connected.png"
-      - "netbird-systemtray-update-disconnected.png"
-    generates:
-      - "netbird-systemtray-*.ico"
-    preconditions:
-      - sh: command -v magick >/dev/null 2>&1 || command -v convert >/dev/null 2>&1
-        msg: "ImageMagick is required to downscale PNGs (apt install imagemagick)"
-      - sh: command -v icotool >/dev/null 2>&1
-        msg: "icotool is required to pack tray .ico files (apt install icoutils)"
-    cmds:
-      - |
-        set -euo pipefail
-        tmp=$(mktemp -d)
-        trap 'rm -rf "$tmp"' EXIT
-        resize=$(command -v magick || echo convert)
-        for state in connected disconnected connecting error update-connected update-disconnected; do
-          for sz in 16 24 32 48; do
-            "$resize" "netbird-systemtray-$state.png" -resize ${sz}x${sz} "$tmp/$state-$sz.png"
-          done
-          icotool -c -o "netbird-systemtray-$state.ico" \
-            "$tmp/$state-16.png" "$tmp/$state-24.png" "$tmp/$state-32.png" "$tmp/$state-48.png"
-        done
-
-  dev:frontend:
-    summary: Runs the frontend in development mode
-    dir: frontend
-    deps:
-      - task: install:frontend:deps
-    cmds:
-      - pnpm exec vite --port {{.VITE_PORT}} --strictPort
-
-  update:build-assets:
-    summary: Updates the build assets
-    dir: build
-    cmds:
-      - wails3 update build-assets -name "{{.APP_NAME}}" -binaryname "{{.APP_NAME}}" -config config.yml -dir .
-
-  build:server:
-    summary: Builds the application in server mode (no GUI, HTTP server only)
-    desc: |
-      Builds the application with the server build tag enabled.
-      Server mode runs as a pure HTTP server without native GUI dependencies.
-      Usage: task build:server
-    deps:
-      - task: build:frontend
-        vars:
-          BUILD_FLAGS:
-            ref: .BUILD_FLAGS
-    cmds:
-      - go build -tags server {{.BUILD_FLAGS}} -o {{.BIN_DIR}}/{{.APP_NAME}}-server{{exeExt}}
-    vars:
-      BUILD_FLAGS: "{{.BUILD_FLAGS}}"
-
-  run:server:
-    summary: Builds and runs the application in server mode
-    deps:
-      - task: build:server
-    cmds:
-      - ./{{.BIN_DIR}}/{{.APP_NAME}}-server{{exeExt}}
-
-  build:docker:
-    summary: Builds a Docker image for server mode deployment
-    desc: |
-      Creates a minimal Docker image containing the server mode binary.
-      The image is based on distroless for security and small size.
-      Usage: task build:docker [TAG=myapp:latest]
-    cmds:
-      - docker build -t {{.TAG | default (printf "%s:latest" .APP_NAME)}} -f build/docker/Dockerfile.server .
-    vars:
-      TAG: "{{.TAG}}"
-    preconditions:
-      - sh: docker info > /dev/null 2>&1
-        msg: "Docker is required. Please install Docker first."
-      - sh: test -f build/docker/Dockerfile.server
-        msg: "Dockerfile.server not found. Run 'wails3 update build-assets' to generate it."
-
-  run:docker:
-    summary: Builds and runs the Docker image
-    desc: |
-      Builds the Docker image and runs it, exposing port 8080.
-      Usage: task run:docker [TAG=myapp:latest] [PORT=8080]
-      Note: The internal container port is always 8080. The PORT variable
-      only changes the host port mapping. Ensure your app uses port 8080
-      or modify the Dockerfile to match your ServerOptions.Port setting.
-    deps:
-      - task: build:docker
-        vars:
-          TAG:
-            ref: .TAG
-    cmds:
-      - docker run --rm -p {{.PORT | default "8080"}}:8080 {{.TAG | default (printf "%s:latest" .APP_NAME)}}
-    vars:
-      TAG: "{{.TAG}}"
-      PORT: "{{.PORT}}"
-
-  setup:docker:
-    summary: Builds Docker image for cross-compilation (~800MB download)
-    desc: |
-      Builds the Docker image needed for cross-compiling to any platform.
-      Run this once to enable cross-platform builds from any OS.
-    cmds:
-      - docker build -t wails-cross -f build/docker/Dockerfile.cross build/docker/
-    preconditions:
-      - sh: docker info > /dev/null 2>&1
-        msg: "Docker is required. Please install Docker first."
-
-  ios:device:list:
-    summary: Lists connected iOS devices (UDIDs)
-    cmds:
-      - xcrun xcdevice list
-
-  ios:run:device:
-    summary: Build, install, and launch on a physical iPhone using Apple tools (xcodebuild/devicectl)
-    vars:
-      PROJECT: '{{.PROJECT}}'   # e.g., build/ios/xcode/<YourProject>.xcodeproj
-      SCHEME: '{{.SCHEME}}'     # e.g., ios.dev
-      CONFIG: '{{.CONFIG | default "Debug"}}'
-      DERIVED: '{{.DERIVED | default "build/ios/DerivedData"}}'
-      UDID: '{{.UDID}}'         # from `task ios:device:list`
-      BUNDLE_ID: '{{.BUNDLE_ID}}' # e.g., com.yourco.wails.ios.dev
-      TEAM_ID: '{{.TEAM_ID}}'   # optional, if your project is not already set up for signing
-    preconditions:
-      - sh: xcrun -f xcodebuild
-        msg: "xcodebuild not found. Please install Xcode."
-      - sh: xcrun -f devicectl
-        msg: "devicectl not found. Please update to Xcode 15+ (which includes devicectl)."
-      - sh: test -n '{{.PROJECT}}'
-        msg: "Set PROJECT to your .xcodeproj path (e.g., PROJECT=build/ios/xcode/App.xcodeproj)."
-      - sh: test -n '{{.SCHEME}}'
-        msg: "Set SCHEME to your app scheme (e.g., SCHEME=ios.dev)."
-      - sh: test -n '{{.UDID}}'
-        msg: "Set UDID to your device UDID (see: task ios:device:list)."
-      - sh: test -n '{{.BUNDLE_ID}}'
-        msg: "Set BUNDLE_ID to your app's bundle identifier (e.g., com.yourco.wails.ios.dev)."
-    cmds:
-      - |
-        set -euo pipefail
-        echo "Building for device: UDID={{.UDID}} SCHEME={{.SCHEME}} PROJECT={{.PROJECT}}"
-        XCB_ARGS=(
-          -project "{{.PROJECT}}"
-          -scheme "{{.SCHEME}}"
-          -configuration "{{.CONFIG}}"
-          -destination "id={{.UDID}}"
-          -derivedDataPath "{{.DERIVED}}"
-          -allowProvisioningUpdates
-          -allowProvisioningDeviceRegistration
-        )
-        # Optionally inject signing identifiers if provided
-        if [ -n '{{.TEAM_ID}}' ]; then XCB_ARGS+=(DEVELOPMENT_TEAM={{.TEAM_ID}}); fi
-        if [ -n '{{.BUNDLE_ID}}' ]; then XCB_ARGS+=(PRODUCT_BUNDLE_IDENTIFIER={{.BUNDLE_ID}}); fi
-        xcodebuild "${XCB_ARGS[@]}" build | xcpretty || true
-        # If xcpretty isn't installed, run without it
-        if [ "${PIPESTATUS[0]}" -ne 0 ]; then
-          xcodebuild "${XCB_ARGS[@]}" build
-        fi
-        # Find built .app
-        APP_PATH=$(find "{{.DERIVED}}/Build/Products" -type d -name "*.app" -maxdepth 3 | head -n 1)
-        if [ -z "$APP_PATH" ]; then
-          echo "Could not locate built .app under {{.DERIVED}}/Build/Products" >&2
-          exit 1
-        fi
-        echo "Installing: $APP_PATH"
-        xcrun devicectl device install app --device "{{.UDID}}" "$APP_PATH"
-        echo "Launching: {{.BUNDLE_ID}}"
-        xcrun devicectl device process launch --device "{{.UDID}}" --stderr console --stdout console "{{.BUNDLE_ID}}"

client/ui/build/appicon.icon/Assets/wails_icon_vector.svg

@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!--
-  macOS Icon Composer source. Designed on a 1024x1024 canvas with the bird
-  glyph centered and sized to ~75% of canvas width, leaving padding for
-  the system squircle treatment.
--->
-<svg xmlns="http://www.w3.org/2000/svg" width="1024" height="1024" viewBox="0 0 1024 1024">
-  <g transform="translate(128, 227) scale(24.77)">
-    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z" fill="#F68330"/>
-    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z" fill="#F68330"/>
-    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727" fill="#F05252"/>
-  </g>
-</svg>

client/ui/build/appicon.icon/icon.json

@@ -1,26 +0,0 @@
-{
-  "fill" : {
-    "solid" : "srgb:1.00000,1.00000,1.00000,1.00000"
-  },
-  "groups" : [
-    {
-      "layers" : [
-        {
-          "image-name" : "wails_icon_vector.svg",
-          "name" : "wails_icon_vector"
-        }
-      ],
-      "shadow" : {
-        "kind" : "neutral",
-        "opacity" : 0.5
-      },
-      "specular" : true
-    }
-  ],
-  "supported-platforms" : {
-    "circles" : [
-      "watchOS"
-    ],
-    "squares" : "shared"
-  }
-}

client/ui/build/build-ui-linux.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+sudo apt update
+sudo apt remove gir1.2-appindicator3-0.1
+sudo apt install -y libayatana-appindicator3-dev
+go build

client/ui/build/config.yml

@@ -1,78 +0,0 @@
-# This file contains the configuration for this project.
-# When you update `info` or `fileAssociations`, run `wails3 task common:update:build-assets` to update the assets.
-# Note that this will overwrite any changes you have made to the assets.
-version: '3'
-
-# This information is used to generate the build assets.
-info:
-  companyName: "My Company" # The name of the company
-  productName: "My Product" # The name of the application
-  productIdentifier: "com.mycompany.myproduct" # The unique product identifier
-  description: "A program that does X" # The application description
-  copyright: "(c) 2025, My Company" # Copyright text
-  comments: "Some Product Comments" # Comments
-  version: "0.0.1" # The application version
-  # cfBundleIconName: "appicon" # The macOS icon name in Assets.car icon bundles (optional)
-  #                               # Should match the name of your .icon file without the extension
-  #                               # If not set and Assets.car exists, defaults to "appicon"
-
-# iOS build configuration (uncomment to customise iOS project generation)
-# Note: Keys under `ios` OVERRIDE values under `info` when set.
-# ios:
-#   # The iOS bundle identifier used in the generated Xcode project (CFBundleIdentifier)
-#   bundleID: "com.mycompany.myproduct"
-#   # The display name shown under the app icon (CFBundleDisplayName/CFBundleName)
-#   displayName: "My Product"
-#   # The app version to embed in Info.plist (CFBundleShortVersionString/CFBundleVersion)
-#   version: "0.0.1"
-#   # The company/organisation name for templates and project settings
-#   company: "My Company"
-#   # Additional comments to embed in Info.plist metadata
-#   comments: "Some Product Comments"
-
-# Dev mode configuration
-dev_mode:
-  root_path: .
-  log_level: warn
-  debounce: 1000
-  ignore:
-    dir:
-      - .git
-      - node_modules
-      - frontend
-      - bin
-    file:
-      - .DS_Store
-      - .gitignore
-      - .gitkeep
-    watched_extension:
-      - "*.go"
-      - "*.js" # Watch for changes to JS/TS files included using the //wails:include directive.
-      - "*.ts" # The frontend directory will be excluded entirely by the setting above.
-    git_ignore: true
-  executes:
-    - cmd: wails3 build DEV=true
-      type: blocking
-    - cmd: wails3 task common:dev:frontend
-      type: background
-    - cmd: wails3 task run
-      type: primary
-
-# File Associations
-# More information at: https://v3.wails.io/noit/done/yet
-fileAssociations:
-#  - ext: wails
-#    name: Wails
-#    description: Wails Application File
-#    iconName: wailsFileIcon
-#    role: Editor
-#  - ext: jpg
-#    name: JPEG
-#    description: Image File
-#    iconName: jpegFileIcon
-#    role: Editor
-#    mimeType: image/jpeg  # (optional)
-
-# Other data
-other:
-  - name: My Other Data

client/ui/build/darwin/Info.dev.plist

@@ -1,38 +0,0 @@
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-    <dict>
-        <key>CFBundlePackageType</key>
-            <string>APPL</string>
-        <key>CFBundleName</key>
-            <string>NetBird</string>
-        <key>CFBundleDisplayName</key>
-            <string>NetBird</string>
-        <key>CFBundleExecutable</key>
-            <string>netbird-ui</string>
-        <key>CFBundleIdentifier</key>
-            <string>io.netbird.client</string>
-        <key>CFBundleVersion</key>
-            <string>0.0.1</string>
-        <key>CFBundleGetInfoString</key>
-            <string>This is a comment</string>
-        <key>CFBundleShortVersionString</key>
-            <string>0.0.1</string>
-        <key>CFBundleIconFile</key>
-            <string>icons</string>
-        <key>CFBundleIconName</key>
-            <string>appicon</string>
-        <key>LSMinimumSystemVersion</key>
-            <string>10.15.0</string>
-        <key>NSHighResolutionCapable</key>
-            <string>true</string>
-        <key>LSUIElement</key>
-            <string>1</string>
-        <key>NSHumanReadableCopyright</key>
-            <string>© 2026, My Company</string>
-        <key>NSAppTransportSecurity</key>
-        <dict>
-            <key>NSAllowsLocalNetworking</key>
-            <true/>
-        </dict>
-    </dict>
-</plist>

client/ui/build/darwin/Info.plist

@@ -1,36 +0,0 @@
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-    <dict>
-        <key>CFBundlePackageType</key>
-            <string>APPL</string>
-        <key>CFBundleName</key>
-            <string>NetBird</string>
-        <key>CFBundleDisplayName</key>
-            <string>NetBird</string>
-        <key>CFBundleExecutable</key>
-            <string>netbird-ui</string>
-        <key>CFBundleIdentifier</key>
-            <string>io.netbird.client</string>
-        <key>CFBundleVersion</key>
-            <string>0.0.1</string>
-        <key>CFBundleGetInfoString</key>
-            <string>This is a comment</string>
-        <key>CFBundleShortVersionString</key>
-            <string>0.0.1</string>
-        <key>CFBundleIconFile</key>
-            <string>icons</string>
-        <key>CFBundleIconName</key>
-            <string>appicon</string>
-        <key>LSMinimumSystemVersion</key>
-            <string>10.15.0</string>
-        <key>NSHighResolutionCapable</key>
-            <string>true</string>
-        <!-- Accessory mode: tray-only app, no Dock entry, no Cmd-Tab
-             presence. Matches the legacy Fyne client and the sign-pipelines
-             Info.plist used in signed .pkg releases. -->
-        <key>LSUIElement</key>
-            <string>1</string>
-        <key>NSHumanReadableCopyright</key>
-            <string>© 2026, My Company</string>
-    </dict>
-</plist>

client/ui/build/darwin/Taskfile.yml

@@ -1,210 +0,0 @@
-version: '3'
-
-includes:
-  common: ../Taskfile.yml
-
-vars:
-  # Signing configuration - edit these values for your project
-  # SIGN_IDENTITY: "Developer ID Application: Your Company (TEAMID)"
-  # KEYCHAIN_PROFILE: "my-notarize-profile"
-  # ENTITLEMENTS: "build/darwin/entitlements.plist"
-
-  # Docker image for cross-compilation (used when building on non-macOS)
-  CROSS_IMAGE: wails-cross
-
-tasks:
-  build:
-    summary: Builds the application
-    cmds:
-      - task: '{{if eq OS "darwin"}}build:native{{else}}build:docker{{end}}'
-        vars:
-          ARCH: '{{.ARCH}}'
-          DEV: '{{.DEV}}'
-          OUTPUT: '{{.OUTPUT}}'
-          EXTRA_TAGS: '{{.EXTRA_TAGS}}'
-    vars:
-      DEFAULT_OUTPUT: '{{.BIN_DIR}}/{{.APP_NAME}}'
-      OUTPUT: '{{ .OUTPUT | default .DEFAULT_OUTPUT }}'
-
-  build:native:
-    summary: Builds the application natively on macOS
-    internal: true
-    deps:
-      - task: common:go:mod:tidy
-      - task: common:build:frontend
-        vars:
-          BUILD_FLAGS:
-            ref: .BUILD_FLAGS
-          DEV:
-            ref: .DEV
-      - task: common:generate:icons
-    cmds:
-      - go build {{.BUILD_FLAGS}} -o {{.OUTPUT}}
-    vars:
-      BUILD_FLAGS: '{{if eq .DEV "true"}}{{if .EXTRA_TAGS}}-tags {{.EXTRA_TAGS}} {{end}}-buildvcs=false -gcflags=all="-l"{{else}}-tags production{{if .EXTRA_TAGS}},{{.EXTRA_TAGS}}{{end}} -trimpath -buildvcs=false -ldflags="-w -s"{{end}}'
-      DEFAULT_OUTPUT: '{{.BIN_DIR}}/{{.APP_NAME}}'
-      OUTPUT: '{{ .OUTPUT | default .DEFAULT_OUTPUT }}'
-    env:
-      GOOS: darwin
-      CGO_ENABLED: 1
-      GOARCH: '{{.ARCH | default ARCH}}'
-      CGO_CFLAGS: "-mmacosx-version-min=10.15"
-      CGO_LDFLAGS: "-mmacosx-version-min=10.15"
-      MACOSX_DEPLOYMENT_TARGET: "10.15"
-
-  build:docker:
-    summary: Cross-compiles for macOS using Docker (for Linux/Windows hosts)
-    internal: true
-    deps:
-      - task: common:build:frontend
-      - task: common:generate:icons
-    preconditions:
-      - sh: docker info > /dev/null 2>&1
-        msg: "Docker is required for cross-compilation. Please install Docker."
-      - sh: docker image inspect {{.CROSS_IMAGE}} > /dev/null 2>&1
-        msg: |
-          Docker image '{{.CROSS_IMAGE}}' not found.
-          Build it first: wails3 task setup:docker
-    cmds:
-      - docker run --rm -v "{{.ROOT_DIR}}:/app" {{.GO_CACHE_MOUNT}} {{.REPLACE_MOUNTS}} -e APP_NAME="{{.APP_NAME}}" {{if .EXTRA_TAGS}}-e EXTRA_TAGS="{{.EXTRA_TAGS}}"{{end}} {{.CROSS_IMAGE}} darwin {{.DOCKER_ARCH}}
-      - docker run --rm -v "{{.ROOT_DIR}}:/app" alpine chown -R $(id -u):$(id -g) /app/bin
-      - mkdir -p {{.BIN_DIR}}
-      - mv "bin/{{.APP_NAME}}-darwin-{{.DOCKER_ARCH}}" "{{.OUTPUT}}"
-    vars:
-      DOCKER_ARCH: '{{if eq .ARCH "arm64"}}arm64{{else if eq .ARCH "amd64"}}amd64{{else}}arm64{{end}}'
-      DEFAULT_OUTPUT: '{{.BIN_DIR}}/{{.APP_NAME}}'
-      OUTPUT: '{{ .OUTPUT | default .DEFAULT_OUTPUT }}'
-      # Mount Go module cache for faster builds
-      GO_CACHE_MOUNT:
-        sh: 'echo "-v ${GOPATH:-$HOME/go}/pkg/mod:/go/pkg/mod"'
-      # Extract replace directives from go.mod and create -v mounts for each
-      # Handles both relative (=> ../) and absolute (=> /) paths
-      REPLACE_MOUNTS:
-        sh: |
-          grep -E '^replace .* => ' go.mod 2>/dev/null | while read -r line; do
-            path=$(echo "$line" | sed -E 's/^replace .* => //' | tr -d '\r')
-            # Convert relative paths to absolute
-            if [ "${path#/}" = "$path" ]; then
-              path="$(cd "$(dirname "$path")" 2>/dev/null && pwd)/$(basename "$path")"
-            fi
-            # Only mount if directory exists
-            if [ -d "$path" ]; then
-              echo "-v $path:$path:ro"
-            fi
-          done | tr '\n' ' '
-
-  build:universal:
-    summary: Builds darwin universal binary (arm64 + amd64)
-    deps:
-      - task: build
-        vars:
-          ARCH: amd64
-          OUTPUT: "{{.BIN_DIR}}/{{.APP_NAME}}-amd64"
-      - task: build
-        vars:
-          ARCH: arm64
-          OUTPUT: "{{.BIN_DIR}}/{{.APP_NAME}}-arm64"
-    cmds:
-      - task: '{{if eq OS "darwin"}}build:universal:lipo:native{{else}}build:universal:lipo:go{{end}}'
-
-  build:universal:lipo:native:
-    summary: Creates universal binary using native lipo (macOS)
-    internal: true
-    cmds:
-      - lipo -create -output "{{.BIN_DIR}}/{{.APP_NAME}}" "{{.BIN_DIR}}/{{.APP_NAME}}-amd64" "{{.BIN_DIR}}/{{.APP_NAME}}-arm64"
-      - rm "{{.BIN_DIR}}/{{.APP_NAME}}-amd64" "{{.BIN_DIR}}/{{.APP_NAME}}-arm64"
-
-  build:universal:lipo:go:
-    summary: Creates universal binary using wails3 tool lipo (Linux/Windows)
-    internal: true
-    cmds:
-      - wails3 tool lipo -output "{{.BIN_DIR}}/{{.APP_NAME}}" -input "{{.BIN_DIR}}/{{.APP_NAME}}-amd64" -input "{{.BIN_DIR}}/{{.APP_NAME}}-arm64"
-      - rm -f "{{.BIN_DIR}}/{{.APP_NAME}}-amd64" "{{.BIN_DIR}}/{{.APP_NAME}}-arm64"
-
-  package:
-    summary: Packages the application into a `.app` bundle
-    deps:
-      - task: build
-    cmds:
-      - task: create:app:bundle
-
-  package:universal:
-    summary: Packages darwin universal binary (arm64 + amd64)
-    deps:
-      - task: build:universal
-    cmds:
-      - task: create:app:bundle
-
-
-  create:app:bundle:
-    summary: Creates an `.app` bundle
-    cmds:
-      - mkdir -p "{{.BIN_DIR}}/{{.APP_NAME}}.app/Contents/MacOS"
-      - mkdir -p "{{.BIN_DIR}}/{{.APP_NAME}}.app/Contents/Resources"
-      - cp build/darwin/icons.icns "{{.BIN_DIR}}/{{.APP_NAME}}.app/Contents/Resources"
-      - |
-        if [ -f build/darwin/Assets.car ]; then
-          cp build/darwin/Assets.car "{{.BIN_DIR}}/{{.APP_NAME}}.app/Contents/Resources"
-        fi
-      - cp "{{.BIN_DIR}}/{{.APP_NAME}}" "{{.BIN_DIR}}/{{.APP_NAME}}.app/Contents/MacOS"
-      - cp build/darwin/Info.plist "{{.BIN_DIR}}/{{.APP_NAME}}.app/Contents"
-      - task: '{{if eq OS "darwin"}}codesign:adhoc{{else}}codesign:skip{{end}}'
-
-  codesign:adhoc:
-    summary: Ad-hoc signs the app bundle (macOS only)
-    internal: true
-    cmds:
-      - codesign --force --deep --sign - "{{.BIN_DIR}}/{{.APP_NAME}}.app"
-
-  codesign:skip:
-    summary: Skips codesigning when cross-compiling
-    internal: true
-    cmds:
-      - 'echo "Skipping codesign (not available on {{OS}}). Sign the .app on macOS before distribution."'
-
-  run:
-    deps:
-      - task: common:generate:icons
-    cmds:
-      - mkdir -p "{{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/MacOS"
-      - mkdir -p "{{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/Resources"
-      - cp build/darwin/icons.icns "{{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/Resources"
-      - |
-        if [ -f build/darwin/Assets.car ]; then
-          cp build/darwin/Assets.car "{{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/Resources"
-        fi
-      - cp "{{.BIN_DIR}}/{{.APP_NAME}}" "{{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/MacOS"
-      - cp "build/darwin/Info.dev.plist" "{{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/Info.plist"
-      - codesign --force --deep --sign - "{{.BIN_DIR}}/{{.APP_NAME}}.dev.app"
-      - '{{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/MacOS/{{.APP_NAME}}'
-
-  sign:
-    summary: Signs the application bundle with Developer ID
-    desc: |
-      Signs the .app bundle for distribution.
-      Configure SIGN_IDENTITY in the vars section at the top of this file.
-    deps:
-      - task: package
-    cmds:
-      - wails3 tool sign --input "{{.BIN_DIR}}/{{.APP_NAME}}.app" --identity "{{.SIGN_IDENTITY}}" {{if .ENTITLEMENTS}}--entitlements {{.ENTITLEMENTS}}{{end}}
-    preconditions:
-      - sh: '[ -n "{{.SIGN_IDENTITY}}" ]'
-        msg: "SIGN_IDENTITY is required. Set it in the vars section at the top of build/darwin/Taskfile.yml"
-
-  sign:notarize:
-    summary: Signs and notarizes the application bundle
-    desc: |
-      Signs the .app bundle and submits it for notarization.
-      Configure SIGN_IDENTITY and KEYCHAIN_PROFILE in the vars section at the top of this file.
-
-      Setup (one-time):
-        wails3 signing credentials --apple-id "you@email.com" --team-id "TEAMID" --password "app-specific-password" --profile "my-profile"
-    deps:
-      - task: package
-    cmds:
-      - wails3 tool sign --input "{{.BIN_DIR}}/{{.APP_NAME}}.app" --identity "{{.SIGN_IDENTITY}}" {{if .ENTITLEMENTS}}--entitlements {{.ENTITLEMENTS}}{{end}} --notarize --keychain-profile {{.KEYCHAIN_PROFILE}}
-    preconditions:
-      - sh: '[ -n "{{.SIGN_IDENTITY}}" ]'
-        msg: "SIGN_IDENTITY is required. Set it in the vars section at the top of build/darwin/Taskfile.yml"
-      - sh: '[ -n "{{.KEYCHAIN_PROFILE}}" ]'
-        msg: "KEYCHAIN_PROFILE is required. Set it in the vars section at the top of build/darwin/Taskfile.yml"

client/ui/build/docker/Dockerfile.cross

@@ -1,203 +0,0 @@
-# Cross-compile Wails v3 apps to any platform
-#
-# Darwin: Zig + macOS SDK
-# Linux: Native GCC when host matches target, Zig for cross-arch
-# Windows: Zig + bundled mingw
-#
-# Usage:
-#   docker build -t wails-cross -f Dockerfile.cross .
-#   docker run --rm -v $(pwd):/app wails-cross darwin arm64
-#   docker run --rm -v $(pwd):/app wails-cross darwin amd64
-#   docker run --rm -v $(pwd):/app wails-cross linux amd64
-#   docker run --rm -v $(pwd):/app wails-cross linux arm64
-#   docker run --rm -v $(pwd):/app wails-cross windows amd64
-#   docker run --rm -v $(pwd):/app wails-cross windows arm64
-
-FROM golang:1.25-bookworm
-
-ARG TARGETARCH
-
-# Install base tools, GCC, and GTK/WebKit dev packages
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    curl xz-utils nodejs npm pkg-config gcc libc6-dev \
-    libgtk-3-dev libwebkit2gtk-4.1-dev \
-    libgtk-4-dev libwebkitgtk-6.0-dev \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install Zig - automatically selects correct binary for host architecture
-ARG ZIG_VERSION=0.14.0
-RUN ZIG_ARCH=$(case "${TARGETARCH}" in arm64) echo "aarch64" ;; *) echo "x86_64" ;; esac) && \
-    curl -L "https://ziglang.org/download/${ZIG_VERSION}/zig-linux-${ZIG_ARCH}-${ZIG_VERSION}.tar.xz" \
-    | tar -xJ -C /opt \
-    && ln -s /opt/zig-linux-${ZIG_ARCH}-${ZIG_VERSION}/zig /usr/local/bin/zig
-
-# Download macOS SDK (required for darwin targets)
-ARG MACOS_SDK_VERSION=14.5
-RUN curl -L "https://github.com/joseluisq/macosx-sdks/releases/download/${MACOS_SDK_VERSION}/MacOSX${MACOS_SDK_VERSION}.sdk.tar.xz" \
-    | tar -xJ -C /opt \
-    && mv /opt/MacOSX${MACOS_SDK_VERSION}.sdk /opt/macos-sdk
-
-ENV MACOS_SDK_PATH=/opt/macos-sdk
-
-# Create Zig CC wrappers for cross-compilation targets
-# Darwin and Windows use Zig; Linux uses native GCC (run with --platform for cross-arch)
-
-# Darwin arm64
-COPY <<'ZIGWRAP' /usr/local/bin/zcc-darwin-arm64
-#!/bin/sh
-ARGS=""
-SKIP_NEXT=0
-for arg in "$@"; do
-    if [ $SKIP_NEXT -eq 1 ]; then
-        SKIP_NEXT=0
-        continue
-    fi
-    case "$arg" in
-        -target) SKIP_NEXT=1 ;;
-        -mmacosx-version-min=*) ;;
-        *) ARGS="$ARGS $arg" ;;
-    esac
-done
-exec zig cc -fno-sanitize=all -target aarch64-macos-none -isysroot /opt/macos-sdk -I/opt/macos-sdk/usr/include -L/opt/macos-sdk/usr/lib -F/opt/macos-sdk/System/Library/Frameworks -w $ARGS
-ZIGWRAP
-RUN chmod +x /usr/local/bin/zcc-darwin-arm64
-
-# Darwin amd64
-COPY <<'ZIGWRAP' /usr/local/bin/zcc-darwin-amd64
-#!/bin/sh
-ARGS=""
-SKIP_NEXT=0
-for arg in "$@"; do
-    if [ $SKIP_NEXT -eq 1 ]; then
-        SKIP_NEXT=0
-        continue
-    fi
-    case "$arg" in
-        -target) SKIP_NEXT=1 ;;
-        -mmacosx-version-min=*) ;;
-        *) ARGS="$ARGS $arg" ;;
-    esac
-done
-exec zig cc -fno-sanitize=all -target x86_64-macos-none -isysroot /opt/macos-sdk -I/opt/macos-sdk/usr/include -L/opt/macos-sdk/usr/lib -F/opt/macos-sdk/System/Library/Frameworks -w $ARGS
-ZIGWRAP
-RUN chmod +x /usr/local/bin/zcc-darwin-amd64
-
-# Windows amd64 - uses Zig's bundled mingw
-COPY <<'ZIGWRAP' /usr/local/bin/zcc-windows-amd64
-#!/bin/sh
-ARGS=""
-SKIP_NEXT=0
-for arg in "$@"; do
-    if [ $SKIP_NEXT -eq 1 ]; then
-        SKIP_NEXT=0
-        continue
-    fi
-    case "$arg" in
-        -target) SKIP_NEXT=1 ;;
-        -Wl,*) ;;
-        *) ARGS="$ARGS $arg" ;;
-    esac
-done
-exec zig cc -target x86_64-windows-gnu $ARGS
-ZIGWRAP
-RUN chmod +x /usr/local/bin/zcc-windows-amd64
-
-# Windows arm64 - uses Zig's bundled mingw
-COPY <<'ZIGWRAP' /usr/local/bin/zcc-windows-arm64
-#!/bin/sh
-ARGS=""
-SKIP_NEXT=0
-for arg in "$@"; do
-    if [ $SKIP_NEXT -eq 1 ]; then
-        SKIP_NEXT=0
-        continue
-    fi
-    case "$arg" in
-        -target) SKIP_NEXT=1 ;;
-        -Wl,*) ;;
-        *) ARGS="$ARGS $arg" ;;
-    esac
-done
-exec zig cc -target aarch64-windows-gnu $ARGS
-ZIGWRAP
-RUN chmod +x /usr/local/bin/zcc-windows-arm64
-
-# Build script
-COPY <<'SCRIPT' /usr/local/bin/build.sh
-#!/bin/sh
-set -e
-
-OS=${1:-darwin}
-ARCH=${2:-arm64}
-
-case "${OS}-${ARCH}" in
-    darwin-arm64|darwin-aarch64)
-        export CC=zcc-darwin-arm64
-        export GOARCH=arm64
-        export GOOS=darwin
-        ;;
-    darwin-amd64|darwin-x86_64)
-        export CC=zcc-darwin-amd64
-        export GOARCH=amd64
-        export GOOS=darwin
-        ;;
-    linux-arm64|linux-aarch64)
-        export CC=gcc
-        export GOARCH=arm64
-        export GOOS=linux
-        ;;
-    linux-amd64|linux-x86_64)
-        export CC=gcc
-        export GOARCH=amd64
-        export GOOS=linux
-        ;;
-    windows-arm64|windows-aarch64)
-        export CC=zcc-windows-arm64
-        export GOARCH=arm64
-        export GOOS=windows
-        ;;
-    windows-amd64|windows-x86_64)
-        export CC=zcc-windows-amd64
-        export GOARCH=amd64
-        export GOOS=windows
-        ;;
-    *)
-        echo "Usage: <os> <arch>"
-        echo "  os: darwin, linux, windows"
-        echo "  arch: amd64, arm64"
-        exit 1
-        ;;
-esac
-
-export CGO_ENABLED=1
-export CGO_CFLAGS="-w"
-
-# Build frontend if exists and not already built (host may have built it)
-if [ -d "frontend" ] && [ -f "frontend/package.json" ] && [ ! -d "frontend/dist" ]; then
-    (cd frontend && npm install --silent && npm run build --silent)
-fi
-
-# Build
-APP=${APP_NAME:-$(basename $(pwd))}
-mkdir -p bin
-
-EXT=""
-LDFLAGS="-s -w"
-if [ "$GOOS" = "windows" ]; then
-    EXT=".exe"
-    LDFLAGS="-s -w -H windowsgui"
-fi
-
-TAGS="production"
-if [ -n "$EXTRA_TAGS" ]; then
-    TAGS="${TAGS},${EXTRA_TAGS}"
-fi
-
-go build -tags "$TAGS" -trimpath -buildvcs=false -ldflags="$LDFLAGS" -o bin/${APP}-${GOOS}-${GOARCH}${EXT} .
-echo "Built: bin/${APP}-${GOOS}-${GOARCH}${EXT}"
-SCRIPT
-RUN chmod +x /usr/local/bin/build.sh
-
-WORKDIR /app
-ENTRYPOINT ["/usr/local/bin/build.sh"]
-CMD ["darwin", "arm64"]

client/ui/build/docker/Dockerfile.server

@@ -1,41 +0,0 @@
-# Wails Server Mode Dockerfile
-# Multi-stage build for minimal image size
-
-# Build stage
-FROM golang:alpine AS builder
-
-WORKDIR /app
-
-# Install build dependencies
-RUN apk add --no-cache git
-
-# Copy source code
-COPY . .
-
-# Remove local replace directive if present (for production builds)
-RUN sed -i '/^replace/d' go.mod || true
-
-# Download dependencies
-RUN go mod tidy
-
-# Build the server binary
-RUN go build -tags server -ldflags="-s -w" -o server .
-
-# Runtime stage - minimal image
-FROM gcr.io/distroless/static-debian12
-
-# Copy the binary
-COPY --from=builder /app/server /server
-
-# Copy frontend assets
-COPY --from=builder /app/frontend/dist /frontend/dist
-
-# Expose the default port
-EXPOSE 8080
-
-# Bind to all interfaces (required for Docker)
-# Can be overridden at runtime with -e WAILS_SERVER_HOST=...
-ENV WAILS_SERVER_HOST=0.0.0.0
-
-# Run the server
-ENTRYPOINT ["/server"]

client/ui/build/linux/Taskfile.yml

@@ -1,235 +0,0 @@
-version: '3'
-
-includes:
-  common: ../Taskfile.yml
-
-vars:
-  # Signing configuration - edit these values for your project
-  # PGP_KEY: "path/to/signing-key.asc"
-  # SIGN_ROLE: "builder"  # Options: origin, maint, archive, builder
-  #
-  # Password is stored securely in system keychain. Run: wails3 setup signing
-
-  # Docker image for cross-compilation (used when building on non-Linux or no CC available)
-  CROSS_IMAGE: wails-cross
-
-tasks:
-  build:
-    summary: Builds the application for Linux
-    cmds:
-      # Linux requires CGO - use Docker when:
-      # 1. Cross-compiling from non-Linux, OR
-      # 2. No C compiler is available, OR
-      # 3. Target architecture differs from host architecture (cross-arch compilation)
-      - task: '{{if and (eq OS "linux") (eq .HAS_CC "true") (eq .TARGET_ARCH ARCH)}}build:native{{else}}build:docker{{end}}'
-        vars:
-          ARCH: '{{.ARCH}}'
-          DEV: '{{.DEV}}'
-          OUTPUT: '{{.OUTPUT}}'
-          EXTRA_TAGS: '{{.EXTRA_TAGS}}'
-    vars:
-      DEFAULT_OUTPUT: '{{.BIN_DIR}}/{{.APP_NAME}}'
-      OUTPUT: '{{ .OUTPUT | default .DEFAULT_OUTPUT }}'
-      # Determine target architecture (defaults to host ARCH if not specified)
-      TARGET_ARCH: '{{.ARCH | default ARCH}}'
-      # Check if a C compiler is available (gcc or clang)
-      HAS_CC:
-        sh: '(command -v gcc >/dev/null 2>&1 || command -v clang >/dev/null 2>&1) && echo "true" || echo "false"'
-
-  build:native:
-    summary: Builds the application natively on Linux
-    internal: true
-    deps:
-      - task: common:go:mod:tidy
-      - task: common:build:frontend
-        vars:
-          BUILD_FLAGS:
-            ref: .BUILD_FLAGS
-          DEV:
-            ref: .DEV
-      - task: common:generate:icons
-      - task: generate:dotdesktop
-    cmds:
-      - go build {{.BUILD_FLAGS}} -o {{.OUTPUT}}
-    vars:
-      BUILD_FLAGS: '{{if eq .DEV "true"}}{{if .EXTRA_TAGS}}-tags {{.EXTRA_TAGS}} {{end}}-buildvcs=false -gcflags=all="-l"{{else}}-tags production{{if .EXTRA_TAGS}},{{.EXTRA_TAGS}}{{end}} -trimpath -buildvcs=false -ldflags="-w -s"{{end}}'
-      DEFAULT_OUTPUT: '{{.BIN_DIR}}/{{.APP_NAME}}'
-      OUTPUT: '{{ .OUTPUT | default .DEFAULT_OUTPUT }}'
-    env:
-      GOOS: linux
-      CGO_ENABLED: 1
-      GOARCH: '{{.ARCH | default ARCH}}'
-
-  build:docker:
-    summary: Builds for Linux using Docker (for non-Linux hosts or when no C compiler available)
-    internal: true
-    deps:
-      - task: common:build:frontend
-      - task: common:generate:icons
-      - task: generate:dotdesktop
-    preconditions:
-      - sh: docker info > /dev/null 2>&1
-        msg: "Docker is required for cross-compilation to Linux. Please install Docker."
-      - sh: docker image inspect {{.CROSS_IMAGE}} > /dev/null 2>&1
-        msg: |
-          Docker image '{{.CROSS_IMAGE}}' not found.
-          Build it first: wails3 task setup:docker
-    cmds:
-      - docker run --rm -v "{{.ROOT_DIR}}:/app" {{.GO_CACHE_MOUNT}} {{.REPLACE_MOUNTS}} -e APP_NAME="{{.APP_NAME}}" {{if .EXTRA_TAGS}}-e EXTRA_TAGS="{{.EXTRA_TAGS}}"{{end}} "{{.CROSS_IMAGE}}" linux {{.DOCKER_ARCH}}
-      - docker run --rm -v "{{.ROOT_DIR}}:/app" alpine chown -R $(id -u):$(id -g) /app/bin
-      - mkdir -p {{.BIN_DIR}}
-      - mv "bin/{{.APP_NAME}}-linux-{{.DOCKER_ARCH}}" "{{.OUTPUT}}"
-    vars:
-      DOCKER_ARCH: '{{.ARCH | default "amd64"}}'
-      DEFAULT_OUTPUT: '{{.BIN_DIR}}/{{.APP_NAME}}'
-      OUTPUT: '{{ .OUTPUT | default .DEFAULT_OUTPUT }}'
-      # Mount Go module cache for faster builds
-      GO_CACHE_MOUNT:
-        sh: 'echo "-v ${GOPATH:-$HOME/go}/pkg/mod:/go/pkg/mod"'
-      # Extract replace directives from go.mod and create -v mounts for each
-      REPLACE_MOUNTS:
-        sh: |
-          grep -E '^replace .* => ' go.mod 2>/dev/null | while read -r line; do
-            path=$(echo "$line" | sed -E 's/^replace .* => //' | tr -d '\r')
-            # Convert relative paths to absolute
-            if [ "${path#/}" = "$path" ]; then
-              path="$(cd "$(dirname "$path")" 2>/dev/null && pwd)/$(basename "$path")"
-            fi
-            # Only mount if directory exists
-            if [ -d "$path" ]; then
-              echo "-v $path:$path:ro"
-            fi
-          done | tr '\n' ' '
-
-  package:
-    summary: Packages the application for Linux
-    deps:
-      - task: build
-    cmds:
-      - task: create:appimage
-      - task: create:deb
-      - task: create:rpm
-      - task: create:aur
-
-  create:appimage:
-    summary: Creates an AppImage
-    dir: build/linux/appimage
-    deps:
-      - task: build
-      - task: generate:dotdesktop
-    cmds:
-      - cp "{{.APP_BINARY}}" "{{.APP_NAME}}"
-      - cp ../../appicon.png "{{.APP_NAME}}.png"
-      - wails3 generate appimage -binary "{{.APP_NAME}}" -icon {{.ICON}} -desktopfile {{.DESKTOP_FILE}} -outputdir {{.OUTPUT_DIR}} -builddir {{.ROOT_DIR}}/build/linux/appimage/build
-    vars:
-      APP_NAME: '{{.APP_NAME}}'
-      APP_BINARY: '../../../bin/{{.APP_NAME}}'
-      ICON: '{{.APP_NAME}}.png'
-      DESKTOP_FILE: '../{{.APP_NAME}}.desktop'
-      OUTPUT_DIR: '../../../bin'
-
-  create:deb:
-    summary: Creates a deb package
-    deps:
-      - task: build
-    cmds:
-      - task: generate:dotdesktop
-      - task: generate:deb
-
-  create:rpm:
-    summary: Creates a rpm package
-    deps:
-      - task: build
-    cmds:
-      - task: generate:dotdesktop
-      - task: generate:rpm
-
-  create:aur:
-    summary: Creates a arch linux packager package
-    deps:
-      - task: build
-    cmds:
-      - task: generate:dotdesktop
-      - task: generate:aur
-
-  generate:deb:
-    summary: Creates a deb package
-    cmds:
-      - wails3 tool package -name "{{.APP_NAME}}" -format deb -config ./build/linux/nfpm/nfpm.yaml -out {{.ROOT_DIR}}/bin
-
-  generate:rpm:
-    summary: Creates a rpm package
-    cmds:
-      - wails3 tool package -name "{{.APP_NAME}}" -format rpm -config ./build/linux/nfpm/nfpm.yaml -out {{.ROOT_DIR}}/bin
-
-  generate:aur:
-    summary: Creates a arch linux packager package
-    cmds:
-      - wails3 tool package -name "{{.APP_NAME}}" -format archlinux -config ./build/linux/nfpm/nfpm.yaml -out {{.ROOT_DIR}}/bin
-
-  generate:dotdesktop:
-    summary: Generates a `.desktop` file
-    dir: build
-    cmds:
-      - mkdir -p {{.ROOT_DIR}}/build/linux/appimage
-      - wails3 generate .desktop -name "{{.APP_NAME}}" -exec "{{.EXEC}}" -icon "{{.ICON}}" -outputfile "{{.ROOT_DIR}}/build/linux/{{.APP_NAME}}.desktop" -categories "{{.CATEGORIES}}"
-      # Wrap Exec= with `env WEBKIT_DISABLE_DMABUF_RENDERER=1 ...` so launches
-      # from any desktop environment use the working renderer. See build/linux/Taskfile.yml :run for the matching dev-mode env block.
-      - sed -i -E 's|^Exec=([^ ]+)(.*)$|Exec=env WEBKIT_DISABLE_DMABUF_RENDERER=1 \1\2|' {{.ROOT_DIR}}/build/linux/{{.APP_NAME}}.desktop
-    vars:
-      APP_NAME: '{{.APP_NAME}}'
-      EXEC: '{{.APP_NAME}}'
-      ICON: '{{.APP_NAME}}'
-      CATEGORIES: 'Development;'
-      OUTPUTFILE: '{{.ROOT_DIR}}/build/linux/{{.APP_NAME}}.desktop'
-
-  run:
-    cmds:
-      - '{{.BIN_DIR}}/{{.APP_NAME}}'
-    env:
-      # WebKitGTK 2.50's default DMA-BUF renderer fails on RDP, VirtualBox/QEMU,
-      # and some bare WMs (Fluxbox, dwm) where DRM dumb-buffer access is
-      # restricted. Disabling it falls back to the GLES2/cairo path which works
-      # everywhere. Production launchers must set this too.
-      WEBKIT_DISABLE_DMABUF_RENDERER: "1"
-
-  sign:deb:
-    summary: Signs the DEB package
-    desc: |
-      Signs the .deb package with a PGP key.
-      Configure PGP_KEY in the vars section at the top of this file.
-      Password is retrieved from system keychain (run: wails3 setup signing)
-    deps:
-      - task: create:deb
-    cmds:
-      - wails3 tool sign --input "{{.BIN_DIR}}/{{.APP_NAME}}*.deb" --pgp-key {{.PGP_KEY}} {{if .SIGN_ROLE}}--role {{.SIGN_ROLE}}{{end}}
-    preconditions:
-      - sh: '[ -n "{{.PGP_KEY}}" ]'
-        msg: "PGP_KEY is required. Set it in the vars section at the top of build/linux/Taskfile.yml"
-
-  sign:rpm:
-    summary: Signs the RPM package
-    desc: |
-      Signs the .rpm package with a PGP key.
-      Configure PGP_KEY in the vars section at the top of this file.
-      Password is retrieved from system keychain (run: wails3 setup signing)
-    deps:
-      - task: create:rpm
-    cmds:
-      - wails3 tool sign --input "{{.BIN_DIR}}/{{.APP_NAME}}*.rpm" --pgp-key {{.PGP_KEY}}
-    preconditions:
-      - sh: '[ -n "{{.PGP_KEY}}" ]'
-        msg: "PGP_KEY is required. Set it in the vars section at the top of build/linux/Taskfile.yml"
-
-  sign:packages:
-    summary: Signs all Linux packages (DEB and RPM)
-    desc: |
-      Signs both .deb and .rpm packages with a PGP key.
-      Configure PGP_KEY in the vars section at the top of this file.
-      Password is retrieved from system keychain (run: wails3 setup signing)
-    cmds:
-      - task: sign:deb
-      - task: sign:rpm
-    preconditions:
-      - sh: '[ -n "{{.PGP_KEY}}" ]'
-        msg: "PGP_KEY is required. Set it in the vars section at the top of build/linux/Taskfile.yml"

client/ui/build/linux/appimage/build.sh

@@ -1,35 +0,0 @@
-#!/usr/bin/env bash
-# Copyright (c) 2018-Present Lea Anthony
-# SPDX-License-Identifier: MIT
-
-# Fail script on any error
-set -euxo pipefail
-
-# Define variables
-APP_DIR="${APP_NAME}.AppDir"
-
-# Create AppDir structure
-mkdir -p "${APP_DIR}/usr/bin"
-cp -r "${APP_BINARY}" "${APP_DIR}/usr/bin/"
-cp "${ICON_PATH}" "${APP_DIR}/"
-cp "${DESKTOP_FILE}" "${APP_DIR}/"
-
-if [[ $(uname -m) == *x86_64* ]]; then
-    # Download linuxdeploy and make it executable
-    wget -q -4 -N https://github.com/linuxdeploy/linuxdeploy/releases/download/continuous/linuxdeploy-x86_64.AppImage
-    chmod +x linuxdeploy-x86_64.AppImage
-
-    # Run linuxdeploy to bundle the application
-    ./linuxdeploy-x86_64.AppImage --appdir "${APP_DIR}" --output appimage
-else
-    # Download linuxdeploy and make it executable (arm64)
-    wget -q -4 -N https://github.com/linuxdeploy/linuxdeploy/releases/download/continuous/linuxdeploy-aarch64.AppImage
-    chmod +x linuxdeploy-aarch64.AppImage
-
-    # Run linuxdeploy to bundle the application (arm64)
-    ./linuxdeploy-aarch64.AppImage --appdir "${APP_DIR}" --output appimage
-fi
-
-# Rename the generated AppImage
-mv "${APP_NAME}*.AppImage" "${APP_NAME}.AppImage"
-

client/ui/build/linux/desktop

@@ -1,13 +0,0 @@
-[Desktop Entry]
-Version=1.0
-Name=NetBird
-Comment=NetBird desktop client
-# The Exec line includes %u to pass the URL to the application
-Exec=/usr/local/bin/netbird-ui %u
-Terminal=false
-Type=Application
-Icon=netbird-ui
-Categories=Utility;
-StartupWMClass=netbird-ui
-
- 

client/ui/build/linux/netbird-ui.desktop

@@ -1,10 +0,0 @@
-[Desktop Entry]
-Type=Application
-Name=netbird-ui
-Exec=env WEBKIT_DISABLE_DMABUF_RENDERER=1 netbird-ui
-Icon=netbird-ui
-Categories=Development;
-Terminal=false
-Keywords=wails
-Version=1.0
-StartupNotify=false

client/ui/build/linux/nfpm/nfpm.yaml

@@ -1,67 +0,0 @@
-# Feel free to remove those if you don't want/need to use them.
-# Make sure to check the documentation at https://nfpm.goreleaser.com
-#
-# The lines below are called `modelines`. See `:help modeline`
-
-name: "netbird-ui"
-arch: ${GOARCH}
-platform: "linux"
-version: "0.0.1"
-section: "default"
-priority: "extra"
-maintainer: ${GIT_COMMITTER_NAME} <${GIT_COMMITTER_EMAIL}>
-description: "NetBird desktop client"
-vendor: "NetBird"
-homepage: "https://wails.io"
-license: "MIT"
-release: "1"
-
-contents:
-  - src: "./bin/netbird-ui"
-    dst: "/usr/local/bin/netbird-ui"
-  - src: "./build/appicon.png"
-    dst: "/usr/share/icons/hicolor/128x128/apps/netbird-ui.png"
-  - src: "./build/linux/netbird-ui.desktop"
-    dst: "/usr/share/applications/netbird-ui.desktop"
-
-# Default dependencies for Debian 12/Ubuntu 22.04+ with WebKit 4.1
-depends:
-  - libgtk-3-0
-  - libwebkit2gtk-4.1-0
-
-# Distribution-specific overrides for different package formats and WebKit versions
-overrides:
-  # RPM packages for RHEL/CentOS/AlmaLinux/Rocky Linux (WebKit 4.0)
-  rpm:
-    depends:
-      - gtk3
-      - webkit2gtk4.1
-  
-  # Arch Linux packages (WebKit 4.1)  
-  archlinux:
-    depends:
-      - gtk3
-      - webkit2gtk-4.1
-
-# scripts section to ensure desktop database is updated after install
-scripts:
-  postinstall: "./build/linux/nfpm/scripts/postinstall.sh"
-  # You can also add preremove, postremove if needed
-  # preremove: "./build/linux/nfpm/scripts/preremove.sh"
-  # postremove: "./build/linux/nfpm/scripts/postremove.sh"
-
-# replaces:
-#   - foobar
-# provides:
-#   - bar
-# depends:
-#   - gtk3
-#   - libwebkit2gtk
-# recommends:
-#   - whatever
-# suggests:
-#   - something-else
-# conflicts:
-#   - not-foo
-#   - not-bar
-# changelog: "changelog.yaml"

client/ui/build/linux/nfpm/scripts/postinstall.sh

@@ -1,21 +0,0 @@
-#!/bin/sh
-
-# Update desktop database for .desktop file changes
-# This makes the application appear in application menus and registers its capabilities.
-if command -v update-desktop-database >/dev/null 2>&1; then
-  echo "Updating desktop database..."
-  update-desktop-database -q /usr/share/applications
-else
-  echo "Warning: update-desktop-database command not found. Desktop file may not be immediately recognized." >&2
-fi
-
-# Update MIME database for custom URL schemes (x-scheme-handler)
-# This ensures the system knows how to handle your custom protocols.
-if command -v update-mime-database >/dev/null 2>&1; then
-  echo "Updating MIME database..."
-  update-mime-database -n /usr/share/mime
-else
-  echo "Warning: update-mime-database command not found. Custom URL schemes may not be immediately recognized." >&2
-fi
-
-exit 0

client/ui/build/linux/nfpm/scripts/postremove.sh

@@ -1 +0,0 @@
-#!/bin/bash

client/ui/build/linux/nfpm/scripts/preinstall.sh

@@ -1 +0,0 @@
-#!/bin/bash

client/ui/build/linux/nfpm/scripts/preremove.sh

@@ -1 +0,0 @@
-#!/bin/bash

client/ui/build/netbird.desktop

@@ -1,8 +1,8 @@
 [Desktop Entry]
 Name=Netbird
-Exec=env WEBKIT_DISABLE_DMABUF_RENDERER=1 /usr/bin/netbird-ui
+Exec=/usr/bin/netbird-ui
 Icon=netbird
 Type=Application
 Terminal=false
 Categories=Utility;
-Keywords=netbird;
+Keywords=netbird;

client/ui/build/windows/Taskfile.yml

@@ -1,236 +0,0 @@
-version: '3'
-
-includes:
-  common: ../Taskfile.yml
-
-vars:
-  # Signing configuration - edit these values for your project
-  # SIGN_CERTIFICATE: "path/to/certificate.pfx"
-  # SIGN_THUMBPRINT: "certificate-thumbprint"  # Alternative to SIGN_CERTIFICATE
-  # TIMESTAMP_SERVER: "http://timestamp.digicert.com"
-  #
-  # Password is stored securely in system keychain. Run: wails3 setup signing
-
-  # Docker image for cross-compilation with CGO (used when CGO_ENABLED=1 on non-Windows)
-  CROSS_IMAGE: wails-cross
-
-tasks:
-  build:
-    summary: Builds the application for Windows
-    cmds:
-      # CGO Windows builds from Linux use mingw-w64 (lighter than docker).
-      # Docker is only needed if mingw-w64 is unavailable.
-      - task: build:native
-        vars:
-          ARCH: '{{.ARCH}}'
-          DEV: '{{.DEV}}'
-          EXTRA_TAGS: '{{.EXTRA_TAGS}}'
-    vars:
-      CGO_ENABLED: '{{.CGO_ENABLED | default "0"}}'
-
-  build:console:
-    summary: Builds a console-attached Windows binary so logs go to the terminal.
-    desc: |
-      Same as `windows:build` but links against the console PE subsystem
-      instead of windowsgui, so stdout/stderr (logrus, panics) print to the
-      terminal that launched the .exe. Useful for chasing tray, event-stream,
-      or daemon-RPC bugs that have no other feedback channel on Windows.
-
-      Output is bin/netbird-ui-console.exe — kept distinct so the production
-      binary built by `windows:build` isn't shadowed.
-
-      Cross-compile from Linux works the same way:
-        CGO_ENABLED=1 task windows:build:console
-    deps:
-      - task: common:go:mod:tidy
-      - task: common:build:frontend
-        vars:
-          BUILD_FLAGS:
-            ref: .BUILD_FLAGS
-          DEV:
-            ref: .DEV
-      - task: common:generate:icons
-    preconditions:
-      - sh: '[ "{{OS}}" = "windows" ] || [ "{{.CGO_ENABLED}}" != "1" ] || command -v {{.CC}}'
-        msg: "{{.CC}} not found. Install with: sudo apt-get install gcc-mingw-w64-x86-64 (Debian/Ubuntu) / sudo dnf install mingw64-gcc (Fedora)"
-    cmds:
-      - task: generate:syso
-      - go build {{.BUILD_FLAGS}} -o "{{.BIN_DIR}}/{{.APP_NAME}}-console.exe"
-      - cmd: powershell Remove-item *.syso
-        platforms: [windows]
-      - cmd: rm -f *.syso
-        platforms: [linux, darwin]
-    vars:
-      # Identical to build:native's flags except no -H windowsgui, so the
-      # binary attaches to the launching console.
-      BUILD_FLAGS: '-tags production{{if .EXTRA_TAGS}},{{.EXTRA_TAGS}}{{end}} -trimpath -buildvcs=false -ldflags="-w -s"'
-      CGO_ENABLED: '{{.CGO_ENABLED | default "0"}}'
-      CC: '{{.CC | default "x86_64-w64-mingw32-gcc"}}'
-    env:
-      GOOS: windows
-      CGO_ENABLED: '{{.CGO_ENABLED}}'
-      GOARCH: '{{.ARCH | default ARCH}}'
-      CC: '{{.CC}}'
-
-  build:native:
-    summary: Builds for Windows natively, or cross-compiles from Linux/macOS via mingw-w64.
-    internal: true
-    deps:
-      - task: common:go:mod:tidy
-      - task: common:build:frontend
-        vars:
-          BUILD_FLAGS:
-            ref: .BUILD_FLAGS
-          DEV:
-            ref: .DEV
-      - task: common:generate:icons
-    preconditions:
-      # When cross-compiling with CGO from a non-Windows host, the mingw-w64
-      # cross-gcc must be present. Native Windows builds skip this check.
-      - sh: '[ "{{OS}}" = "windows" ] || [ "{{.CGO_ENABLED}}" != "1" ] || command -v {{.CC}}'
-        msg: "{{.CC}} not found. Install with: sudo apt-get install gcc-mingw-w64-x86-64 (Debian/Ubuntu) / sudo dnf install mingw64-gcc (Fedora)"
-    cmds:
-      - task: generate:syso
-      - go build {{.BUILD_FLAGS}} -o "{{.BIN_DIR}}/{{.APP_NAME}}.exe"
-      - cmd: powershell Remove-item *.syso
-        platforms: [windows]
-      - cmd: rm -f *.syso
-        platforms: [linux, darwin]
-    vars:
-      BUILD_FLAGS: '{{if eq .DEV "true"}}{{if .EXTRA_TAGS}}-tags {{.EXTRA_TAGS}} {{end}}-buildvcs=false -gcflags=all="-l"{{else}}-tags production{{if .EXTRA_TAGS}},{{.EXTRA_TAGS}}{{end}} -trimpath -buildvcs=false -ldflags="-w -s -H windowsgui"{{end}}'
-      CGO_ENABLED: '{{.CGO_ENABLED | default "0"}}'
-      CC: '{{.CC | default "x86_64-w64-mingw32-gcc"}}'
-    env:
-      GOOS: windows
-      CGO_ENABLED: '{{.CGO_ENABLED}}'
-      GOARCH: '{{.ARCH | default ARCH}}'
-      CC: '{{.CC}}'
-
-  build:docker:
-    summary: Cross-compiles for Windows using Docker with Zig (for CGO builds on non-Windows)
-    internal: true
-    deps:
-      - task: common:build:frontend
-      - task: common:generate:icons
-    preconditions:
-      - sh: docker info > /dev/null 2>&1
-        msg: "Docker is required for CGO cross-compilation. Please install Docker."
-      - sh: docker image inspect {{.CROSS_IMAGE}} > /dev/null 2>&1
-        msg: |
-          Docker image '{{.CROSS_IMAGE}}' not found.
-          Build it first: wails3 task setup:docker
-    cmds:
-      - task: generate:syso
-      - docker run --rm -v "{{.ROOT_DIR}}:/app" {{.GO_CACHE_MOUNT}} {{.REPLACE_MOUNTS}} -e APP_NAME="{{.APP_NAME}}" {{if .EXTRA_TAGS}}-e EXTRA_TAGS="{{.EXTRA_TAGS}}"{{end}} {{.CROSS_IMAGE}} windows {{.DOCKER_ARCH}}
-      - docker run --rm -v "{{.ROOT_DIR}}:/app" alpine chown -R $(id -u):$(id -g) /app/bin
-      - rm -f *.syso
-    vars:
-      DOCKER_ARCH: '{{.ARCH | default "amd64"}}'
-      # Mount Go module cache for faster builds
-      GO_CACHE_MOUNT:
-        sh: 'echo "-v ${GOPATH:-$HOME/go}/pkg/mod:/go/pkg/mod"'
-      # Extract replace directives from go.mod and create -v mounts for each
-      REPLACE_MOUNTS:
-        sh: |
-          grep -E '^replace .* => ' go.mod 2>/dev/null | while read -r line; do
-            path=$(echo "$line" | sed -E 's/^replace .* => //' | tr -d '\r')
-            # Convert relative paths to absolute
-            if [ "${path#/}" = "$path" ]; then
-              path="$(cd "$(dirname "$path")" 2>/dev/null && pwd)/$(basename "$path")"
-            fi
-            # Only mount if directory exists
-            if [ -d "$path" ]; then
-              echo "-v $path:$path:ro"
-            fi
-          done | tr '\n' ' '
-
-  package:
-    summary: Packages the application
-    cmds:
-      - task: '{{if eq (.FORMAT | default "nsis") "msix"}}create:msix:package{{else}}create:nsis:installer{{end}}'
-    vars:
-      FORMAT: '{{.FORMAT | default "nsis"}}'
-
-  generate:syso:
-    summary: Generates Windows `.syso` file
-    dir: build
-    cmds:
-      - wails3 generate syso -arch {{.ARCH}} -icon windows/icon.ico -manifest windows/wails.exe.manifest -info windows/info.json -out ../wails_windows_{{.ARCH}}.syso
-    vars:
-      ARCH: '{{.ARCH | default ARCH}}'
-
-  create:nsis:installer:
-    summary: Creates an NSIS installer
-    dir: build/windows/nsis
-    deps:
-      - task: build
-    cmds:
-      # Create the Microsoft WebView2 bootstrapper if it doesn't exist
-      - wails3 generate webview2bootstrapper -dir "{{.ROOT_DIR}}/build/windows/nsis"
-      - | 
-        {{if eq OS "windows"}}
-        makensis -DARG_WAILS_{{.ARG_FLAG}}_BINARY="{{.ROOT_DIR}}\{{.BIN_DIR}}\{{.APP_NAME}}.exe" project.nsi
-        {{else}}
-        makensis -DARG_WAILS_{{.ARG_FLAG}}_BINARY="{{.ROOT_DIR}}/{{.BIN_DIR}}/{{.APP_NAME}}.exe" project.nsi
-        {{end}}
-    vars:
-      ARCH: '{{.ARCH | default ARCH}}'
-      ARG_FLAG: '{{if eq .ARCH "amd64"}}AMD64{{else}}ARM64{{end}}'
-
-  create:msix:package:
-    summary: Creates an MSIX package
-    deps:
-      - task: build
-    cmds:
-      - |-
-        wails3 tool msix \
-          --config "{{.ROOT_DIR}}/wails.json" \
-          --name "{{.APP_NAME}}" \
-          --executable "{{.ROOT_DIR}}/{{.BIN_DIR}}/{{.APP_NAME}}.exe" \
-          --arch "{{.ARCH}}" \
-          --out "{{.ROOT_DIR}}/{{.BIN_DIR}}/{{.APP_NAME}}-{{.ARCH}}.msix" \
-          {{if .CERT_PATH}}--cert "{{.CERT_PATH}}"{{end}} \
-          {{if .PUBLISHER}}--publisher "{{.PUBLISHER}}"{{end}} \
-          {{if .USE_MSIX_TOOL}}--use-msix-tool{{else}}--use-makeappx{{end}}
-    vars:
-      ARCH: '{{.ARCH | default ARCH}}'
-      CERT_PATH: '{{.CERT_PATH | default ""}}'
-      PUBLISHER: '{{.PUBLISHER | default ""}}'
-      USE_MSIX_TOOL: '{{.USE_MSIX_TOOL | default "false"}}'
-
-  install:msix:tools:
-    summary: Installs tools required for MSIX packaging
-    cmds:
-      - wails3 tool msix-install-tools
-
-  run:
-    cmds:
-      - '{{.BIN_DIR}}/{{.APP_NAME}}.exe'
-
-  sign:
-    summary: Signs the Windows executable
-    desc: |
-      Signs the .exe with an Authenticode certificate.
-      Configure SIGN_CERTIFICATE or SIGN_THUMBPRINT in the vars section at the top of this file.
-      Password is retrieved from system keychain (run: wails3 setup signing)
-    deps:
-      - task: build
-    cmds:
-      - wails3 tool sign --input "{{.BIN_DIR}}/{{.APP_NAME}}.exe" {{if .SIGN_CERTIFICATE}}--certificate {{.SIGN_CERTIFICATE}}{{end}} {{if .SIGN_THUMBPRINT}}--thumbprint {{.SIGN_THUMBPRINT}}{{end}} {{if .TIMESTAMP_SERVER}}--timestamp {{.TIMESTAMP_SERVER}}{{end}}
-    preconditions:
-      - sh: '[ -n "{{.SIGN_CERTIFICATE}}" ] || [ -n "{{.SIGN_THUMBPRINT}}" ]'
-        msg: "Either SIGN_CERTIFICATE or SIGN_THUMBPRINT is required. Set it in the vars section at the top of build/windows/Taskfile.yml"
-
-  sign:installer:
-    summary: Signs the NSIS installer
-    desc: |
-      Creates and signs the NSIS installer.
-      Configure SIGN_CERTIFICATE or SIGN_THUMBPRINT in the vars section at the top of this file.
-      Password is retrieved from system keychain (run: wails3 setup signing)
-    deps:
-      - task: create:nsis:installer
-    cmds:
-      - wails3 tool sign --input "build/windows/nsis/{{.APP_NAME}}-installer.exe" {{if .SIGN_CERTIFICATE}}--certificate {{.SIGN_CERTIFICATE}}{{end}} {{if .SIGN_THUMBPRINT}}--thumbprint {{.SIGN_THUMBPRINT}}{{end}} {{if .TIMESTAMP_SERVER}}--timestamp {{.TIMESTAMP_SERVER}}{{end}}
-    preconditions:
-      - sh: '[ -n "{{.SIGN_CERTIFICATE}}" ] || [ -n "{{.SIGN_THUMBPRINT}}" ]'
-        msg: "Either SIGN_CERTIFICATE or SIGN_THUMBPRINT is required. Set it in the vars section at the top of build/windows/Taskfile.yml"